TFlower Ransomware
More and more cyber criminals are taking an interest in the ransomware threats specifically. Data-locking Trojans seem to be perceived as a quick and easy way to make some cash with minimum repercussions. Among the newest ransomware threats detected is the TFlower Ransomware.
Spreading and Encryption
Since malware researchers have not been able to determine the exact propagation method used in the spreading of the TFlower Ransomware, they are only left with speculations. It is highly likely that the authors of the TFlower Ransomware may be employing some of the most popular propagation techniques out there, namely bogus software updates, pirated copies of legitimate applications, and emails containing infected attachments. Once the TFlower Ransomware manages to infiltrate your system, this file-encrypting Trojan will perform a scan on all your data. The goal is determining the locations of the files, which are of interest to the TFlower Ransomware. Next, the TFlower Ransomware starts locking the selected files. What is interesting with the TFlower Ransomware is that unlike most ransomware threats that apply an additional extension to the filenames of the affected files, the data-locking Trojan does not change the filename at all.
The next step is dropping the ransom note. The ransom note of the TFlower Ransomware is named '!_Notice_!.txt' and states:
'IMPORTANT NOTICE THAT IS URGENT AND TRUE
=================================================================
Dear Sir/Ma,
Sorry to inform you but many files of your COMPANY has just been ENCRYPTED with a STRONG key.
This simply means that you will not be able to use your files until it is decrypted by the same key used in encrypting it.
TO get the DECRYPT TOOL for your COMPANY, you have to make payment to us so as to recover your files.
You have to pay sum of 15 BTC to bitcoin address below:
BITCOIN ADDRESS:=>> 14nfYK5frS6Jb4B3mthRffTQuTFfeM9un3
NOTE
======================================================================
You may upload 1 of your encrypted files to test the decryption for free.
But, the file should not contain any valuable information.
All the operations can be done at following web site.
WEBSITE:=>> http://665vhhhfwgtpvq6765vektenyr5iw3d5duyydpnsdaijbp4xvz2rxeqd.onion/user.php?address=14nfYK5frS6Jb4B3mthRffTQuTFfeM9un3
E-MAIL :=>> flowerboard@torguard.tg'
In it the note, the attackers specify that the ransom fee demanded is a staggering 15 Bitcoin (~$150,000 at the time of typing this article). The authors of the TFlower Ransomware provide an email address where the user can receive further instructions – 'flowerboard@torguard.tg.' The payment page is TOR-based, meaning that it is hosted on the Deep Web, which is only accessible via the Tor Browser.
We advise you strongly to resist any urge to contact the attackers or try to negotiate with them. Instead, you should look into obtaining a legitimate anti-virus software suite which will help you wipe off the TFlower Ransomware from your PC.
