TFlower Ransomware

TFlower is software categorized as ransomware. Unlike most ransomware-type programs, it does not change extensions of encrypted files. It does, however, create a ransom message (within a text file named “!_Notice_!.txt“) that contains instructions about how to purchase a decryption tool. Typically, programs such as TFlower encrypt (lock) files, which then cannot be accessed unless they are decoded with a decryption tool (that cyber criminals encourage victims to purchase).

The ransom message (“!_Notice_!.txt”) states that files can only be decrypted with the key that was used to encrypt them. To obtain a decryption tool, victims are encouraged to pay TFlower developers a ransom of 15 BTC (Bitcoin).

“TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS). TFlower is a very malicious program that belongs to the infamous Ransomware cryptovirus category. This infection is among the hardest to detect and because of that it is very effective in its malicious attack. As a typical cryptovirus, TFlower is pretty straightforward in its activities and follows a specific agenda. The goal of the infection is to sneak in the system without being noticed and to place a complex encryption to a number of files that it considers as important to you. Once it locks them up, the malware will immediately place a ransom-demanding notification with the help of which it will blackmail you to pay a certain amount of money in exchange for the unique access key which can reverse the applied encryption.

First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, malefactors can attempt to move throughout the network and generate even more infections using PowerShell Empire and other tools. When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer.

TFlower Ransomware

TFlower is software categorized as ransomware. Unlike most ransomware-type programs, it does not change extensions of encrypted files. It does, however, create a ransom message (within a text file named “!_Notice_!.txt“) that contains instructions about how to purchase a decryption tool. Typically, programs such as TFlower encrypt (lock) files, which then cannot be accessed unless they are decoded with a decryption tool (that cyber criminals encourage victims to purchase).

The ransom message (“!_Notice_!.txt”) states that files can only be decrypted with the key that was used to encrypt them. To obtain a decryption tool, victims are encouraged to pay TFlower developers a ransom of 15 BTC (Bitcoin).

“TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS). TFlower is a very malicious program that belongs to the infamous Ransomware cryptovirus category. This infection is among the hardest to detect and because of that it is very effective in its malicious attack. As a typical cryptovirus, TFlower is pretty straightforward in its activities and follows a specific agenda. The goal of the infection is to sneak in the system without being noticed and to place a complex encryption to a number of files that it considers as important to you. Once it locks them up, the malware will immediately place a ransom-demanding notification with the help of which it will blackmail you to pay a certain amount of money in exchange for the unique access key which can reverse the applied encryption.

First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, malefactors can attempt to move throughout the network and generate even more infections using PowerShell Empire and other tools. When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer.