Update 12/4/14: Dedicated guide with all known information can be found here:
Added new information guide and FAQ:
TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ
Also contains country specific information. If you are from a country listed, or not listed, and have further info please feel free to shoot me a PM.
TorrentLocker is a ransomware that was released in late August to early September that pretends to be CryptoLocker. This ransomware will encrypt all of your data files and then display a ransom screen that demands 1.14 BTC in order to get a decrypter. If you wait too long, this ransom amount will double to a cap of 2.28 BTC. Many people are confusing this infection with the original CryptoLocker infection, but the only similarities is that this ransomware is using the same name. If you have been infected with something called CryptoLocker after June 2nd, 2014 then you are not infected with the original CryptoLocker, but instead by a new ransomware using the same name. If you have been infected recently with an infection called CryptoLocker, it is probably the TorrentLocker infection that this topic discusses.
Main Startup Window and Ransom Note
In the past, this infection was using an easy to decrypt XOR encryption method. Unfortunately, some researchers decided to publicly blog about this encryption method, which caused the malware developer to change the encryption to a much stronger and unbreakable decryption using AES. Due to this change, Nathan Scott's TorrentLocker decrypter no longer works on this infection.
When infected, this infection will scan your drive for data files and encrypt them using AES encryption. The infection uses a open source library called LibTom, which easily allows the malware developers to use a variety of encryption methods. Once your data has been encrypted, it will leave ransom notes in each folder that has encrypted files and then display a ransom note requesting payment.
The file extensions targetted by this ransomware are:
Originally, this infection used a static bitcoin address of 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X to receive payments. Later versions switched to using a unique bitcoin address for each victim.
This infection does not use a secure deletion method of your original files. Due to this you can may be able to use a file recovery software such as R-Studio or Photorec to recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
Files used by this infection are:
C:\ProgramData\<random>.exe C:\ProgramData\<random>.html C:\Users\All Users\<random>.exe C:\Users\All Users\<random>.htmlRegistry keys used by this infection are:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random> C:\ProgramData\<random>.exe HKCU\Software\<Random>