{
	"id": "2d3d1bdf-1888-4513-8a84-3c43c6134898",
	"created_at": "2026-04-06T01:28:51.852621Z",
	"updated_at": "2026-04-10T03:20:38.152688Z",
	"deleted_at": null,
	"sha1_hash": "86d1650217e20e84935efa87e7dcfa0d5000c11b",
	"title": "TorrentLocker Ransomware Cracked and Decrypter has been made - Archived News",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 280107,
	"plain_text": "TorrentLocker Ransomware Cracked and Decrypter has been\r\nmade - Archived News\r\nBy Nathan\r\nArchived: 2026-04-06 00:58:03 UTC\r\n \r\nUpdate 12/4/14: Dedicated guide with all known information can be found here:\r\nAdded new information guide and FAQ:\r\nTorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ\r\nAlso contains country specific information. If you are from a country listed, or not listed, and have further info\r\nplease feel free to shoot me a PM.\r\nhttp://www.bleepingcomputer.com/virus-removal/torrentlocker-cryptolocker-ransomware-information#regions\r\nThe easy decryption method in TorrentLocker has been fixed by the developer. We have no way of\r\ndecrypting your files anymore.\r\n--\r\nThe Bleeping Computer Staff\r\n** Visitors looking for just the Decrypter and not the TorrentLocker Analysis can Download and read about it at\r\nthe bottom of the page or download it from Here **\r\nhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nPage 1 of 5\n\nMain Startup Window and Ransom Note\r\nTorrentLocker Decrypted\r\nOn Aug. 12th 2014, a new sample was sent to me with the victim claiming it to be CryptoLocker. Upon running\r\nand quickly analyzing the exe, I found that it was a new Encrypting Ransomware (Whats new?). This infection\r\nclaimed to be Cryptolocker, but also used the Ransom File Format of Cryptowall. I would guess the reason\r\nbehind this was to gain fear in the victim when infected as those 2 Ransomware's are uncrackable. After running\r\nthrough my normal checks when first getting a Encryption infection sample, I started my not so normal ones. I\r\nmade it a unwritten rule to myself that before trying to figure out hard encryption schemes the infection may use,\r\nto always try the easy ones quickly first. This means testing a encrypted file for MD5, SHA-1, RC2, RC4, XOR,\r\nBit Shift and other lower encryption schemes first. (I started doing this because of Cryptorbits simple encryption\r\nthat I spent far to long on.)\r\nAfter going through the list, my jaw about dropped to the floor when I hit XOR. The virus creator of this infection\r\nused a simple (and I mean nothing else) XOR algorithm. I found this by taking a encrypted file and XOR'ing its\r\nbytes with the good files bytes. This produced a file with a 2MB key buffered with zero's at the bottom. The zeros\r\nhappen because the infection only encrypts the first 2MB of files. When taking the 2MB key and XOR'ing it with\r\na different encrypted file, it was successfully decrypted.\r\nXor Key Sample File (2MB)\r\nAfter finding this out, seeing as how it is such a simple mistake, I knew I had to keep it quite and just build a\r\npublic application for victims to use without disclosing how it works, as the virus creator would simply fix the\r\nissue. So for the last few weeks I have been spending time making the decryption application for the victims, but\r\nit seems that a few bloggers didn't feel the same way (Again, Whats new?)\r\nhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nPage 2 of 5\n\n2 days ago Digital-forensics Blog decided that after also finding out this information, to post it publicly that there\r\nwas a \"mistake on the malware author's part\", and continued to describe in detail what those mistakes were, and\r\nalso gave the virus creator some pointers! One thing they did not do though is post a way for any victims to\r\ndecrypt their files after now alerting the virus creator that he made a mistake.\r\nSince then the story has circled around and has been posted on multiple blogs, making almost certain that if the\r\nvirus creator didn't know, he does by now.\r\nTorrentLocker Details\r\nTo go into a little more detail about this infection, When ran it Inject itself into a new instance of Explorer, Query\r\nall Logical Drives, and loop through each drive encrypting each file it finds that has the below extension and\r\nadding .Encrypted to the end.\r\nTorrentLocker Effected Extensions:\r\n*.wb2,*.psd,*.p7c,*.p7b,*.p12,*.pfx,*.pem,*.crt,*.cer,*.der,*.pl,*.py,*.lua,*.css,*.js,*.asp,*.php,*\r\nThe viruses Import table consists of: NTDLL.DLL, SHLWAPI.DLL, WININET.DLL, CRYPT32.DLL,\r\nMAPI32.DLL, KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL, SHELL32.DLL, OLE32.DLL, and\r\nOLEAUT32.DLL. The virus actually uses an open source Lib to assist in the encryption which is named LibTom.\r\nAlot of these bloggers seem to think that the virus creator used AES or another advance encryption to generate the\r\nXOR key, and simply forgot/ignored to used the key with a advanced encryption before using XOR. Yet, the code\r\nproves otherwise. The author simply uses a 32 byte seed to generate the 2MB key stream, and its used to XOR the\r\nfile. Simple as that.\r\nExample of 32 Byte Seed\r\nFile List:\r\nC:\\Windows\\\u003cRandom\u003e.exe - Duplicate infection EXE\r\n*\\DECRYPT_INSTRUCTIONS.HTML - Ransomnote (Dropped in any encrypted folder)\r\n%ProgramData%\\\u003cRandom\u003e\\\u003cRandom\u003e - Temp file for the infection (No Extension)\r\nRegistry List:\r\nHKCU\\Software\\\u003cRandom\u003e\\01000000 - Hex of infection\r\nHKCU\\Software\\\u003cRandom\u003e\\02000000 - Path to infection exe\r\nHKCU\\Software\\\u003cRandom\u003e\\03000000 - UID for infection\r\nhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nPage 3 of 5\n\nHKCU\\Software\\\u003cRandom\u003e\\04000000 - HTML Document in hex\r\nHKCU\\Software\\\u003cRandom\u003e\\05000000 - Number of infected files\r\nC\u0026C List:\r\nHttps://server38.info/gate.php\r\nNote: It is also important to mention that this infection will not infect a computer without contacting its C\u0026C\r\nserver.\r\nTorrentLocker Decrypter\r\nTo download TorrentUnlocker, Please use the following link:\r\nTorrentLocker De-Ransomware V1.0.5.0\r\nOnce the file has been downloaded, run the TorrentUnlocker.exe program. This will open the main window seen\r\nabove, then simply follow the instructions.\r\nIf you need any help with TorrentUnlocker please message me, Nathan (DecrypterFixer)\r\nThis is V 1.0.5.0 of TorrentUnlocker De-Ransomware. This software will help you decrypt files that were effected\r\nby TorrentLocker. There is a catch though! In order to use this Decrypter, you must have a Original version of a\r\nencrypted file that is at least 2MB. Lets say I have a image on my DropBox that is untouched by the infection\r\nnamed \"Family.jpg\" that is over 2MB, and that I had a copy of it on my local computer when the infection hit. To\r\nuse this app, all I would need is that \"Family.jpg\" and the \"Family.jpg.encrypted\" on my local computer.\r\nhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nPage 4 of 5\n\nThis application requires .NET 4.0, but has it packaged inside. So if you do not have .Net 4.0, it will install it for\r\nyou. Even more important is, this application relies on you to give it the correct files to make the TorrentLocker\r\nkey. That means if you mess up, it messes up. So it is ALWAYS recommended to run this application on a folder\r\nwith copies of your encrypted files first! Once everything is confirmed to be okay, then you may select your whole\r\ndrive.\r\n* This application also has step by step guide arrows to help you glide through decrypting your files with ease. If\r\nyou ever find yourself confused on what the next step is, Simply look for the blinking arrow to continue.\r\nA newer version will be coming soon with the following features to help victims more:\r\nResize ability\r\nSupport for files over 4GB\r\nAuto Correct Key detection\r\nThanks for reading!\r\nEdited by Grinler, 10 December 2014 - 06:02 PM.\r\nSource: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/"
	],
	"report_names": [
		"torrentlocker-ransomware-cracked-and-decrypter-has-been-made"
	],
	"threat_actors": [],
	"ts_created_at": 1775438931,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86d1650217e20e84935efa87e7dcfa0d5000c11b.pdf",
		"text": "https://archive.orkl.eu/86d1650217e20e84935efa87e7dcfa0d5000c11b.txt",
		"img": "https://archive.orkl.eu/86d1650217e20e84935efa87e7dcfa0d5000c11b.jpg"
	}
}