Finnish Experts Crack TorrentLocker Ransomware - How to, Technology and PC Security Forum |

Finnish Experts Crack TorrentLocker Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Finnish researchers Antti Nuopponen, Patrik Nisén and Taneli Kaivola of Finnish consultancy Nixu discovered how to decrypt the files that have been encrypted by the recently spread TorrentLocker ransomware without paying the required fee. All the user needs is the original and the encrypted version of at least one of the encrypted files, which size is more than 2MB.

TorrentLocker Ransomware Details

TorrentLocker is a relatively new type of ransomware, similar to CryptoLocker and CryptoWall. Its creators are apparently trying to profit from the fact that users fear these two types of malware.

TorrentLocker is delivered in a phishing campaign that is mainly active in Australia. The ransomware displays a message, informing the users that their files have been encrypted by CryptoLocker. For the lock-up of the user’s system, the cyber crooks use the Rijndeal encryption algorithm. The required Bitcoin payment for the decryption of the files is about $ 500 AUD. The fact that this particular infection uses components of other ransomware, which is known to the public, is extremely alarming.

The Decryption – How the Finnisch Trio Cracked TorrentLocker

The research team managed to crack the decryption path of TorrentLocker by discovering that the malware creators made one simple mistake: TorrentLocker applies the same keystream in order to encrypt all files in the same infection.

Here is what the research team said:

→”As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file,”

By further analysing the encrypted files, the team discovered that the malicious program attached additional 264 bytes of data to the end of every file, it encrypted. Only the first 2MB of the file are actually being encrypted, the rest is left intact.

The researchers assume that the hackers only encrypted the first 2MB in order to speed up the process, but this also made the discovery of the keystream easier.

The conclusion the specialists reached, was that the purpose of the extra 264 bytes added by TorrentLocker at the end of each file is unique for each infection. This, on the other hand, allowed the experts to write a software program that recognizes exactly which keystream has been used for the encryption of the files automatically.

Although this is good news for the PC users, the newly revealed information will unavoidably make TorrentLocker’s creators improve the encryption implementation scheme, so just in case – make sure you backup your files on a regular basis.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts


  1. AvatarS. Mitsos

    Having being encrypted by this ransomware is it possible to get some assistance to decrypt my files?

  2. AvatarBertaB (Post author)

    A manual approach can be quite risky in such cases. All experts recommend using an anti-malware program. You can test SpyHunter, for example, and see I it removes the ransomware. There is a free trial version that will scan your PC for threats. In order to keep more users, and potential ransomware victims informed, please give us a feed-back if the AV was helpful in your case. Thank you.

  3. AvatarMONTEL


    1. AvatarMilena Dimitrova

      Hi Montel, can you please provide more information? What extensions have been appended to your files? Have you run an anti-malware program to remove the ransomware leftovers?

      To do so, you can start a topic in our forum:

  4. AvatarGiuseppe

    Comunque non ho capito se è possibile decriptare i files


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share