Welcome to BC.
Any files that are encrypted with Crypt0L0cker (TorrentLocker) will have the .encrypted
extension appended to the end of the filename. When the encryption process is done, it will display the ransom notes which are created in every folder on the computer. Crypt0L0cker leaves files (ransom notes) named DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML, INSTRUCCIONES_DESCIFRADO.HTML, and How_To_Recover_Files.txt. More information about Crypt0L0cker can be found here.
A repository of all current knowledge regarding TorrentLocker
is provided by Grinler
(aka Lawrence Abrams
), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ
If the file extension is actually .encryptedrsa
, then you may be dealing with something else. Can you confirm that is the extension your client is dealing with?
Did you find any ransom note
similar to the ones noted above?