TFlower Ransomware

TFlower is software categorized as ransomware. Unlike most ransomware-type programs, it does not change extensions of encrypted files. It does, however, create a ransom message (within a text file named “!_Notice_!.txt“) that contains instructions about how to purchase a decryption tool. Typically, programs such as TFlower encrypt (lock) files, which then cannot be accessed unless they are decoded with a decryption tool (that cyber criminals encourage victims to purchase).

The ransom message (“!_Notice_!.txt”) states that files can only be decrypted with the key that was used to encrypt them. To obtain a decryption tool, victims are encouraged to pay TFlower developers a ransom of 15 BTC (Bitcoin).

“TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS). TFlower is a very malicious program that belongs to the infamous Ransomware cryptovirus category. This infection is among the hardest to detect and because of that it is very effective in its malicious attack. As a typical cryptovirus, TFlower is pretty straightforward in its activities and follows a specific agenda. The goal of the infection is to sneak in the system without being noticed and to place a complex encryption to a number of files that it considers as important to you. Once it locks them up, the malware will immediately place a ransom-demanding notification with the help of which it will blackmail you to pay a certain amount of money in exchange for the unique access key which can reverse the applied encryption.

First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, malefactors can attempt to move throughout the network and generate even more infections using PowerShell Empire and other tools. When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer.

TFlower falls into a trend of digital attackers increasingly targeting businesses and government agencies with ransomware. To do this, nefarious individuals aren’t just leveraging RDS to target organizations. Per ProPublica, bad actors are increasingly going after managed service providers (MSPs) in order to infiltrate dozens if not hundreds of businesses at once. Such was the case in late-August 2019 when Percsoft and the Digital Dental Record, two organizations that provide online services to hundreds of dental offices throughout the United States, suffered ransomware attacks.

How to protect yourself from ransomware infections?

  • Do not open files that are attached to irrelevant emails or when the emails are received from unknown, suspicious addresses.
  • Download files and programs from official and trustworthy websites.
  • Keep the operating system and installed software up-to-date, however, use tools and implemented functions created by official developers. 
  • Keep your computer secured with a reputable anti-virus or anti-spyware suite. 


For more cyber security information contact us at

Leave a Comment

Your email address will not be published. Required fields are marked *

eighteen − 2 =