TFlower ransomware is a file locking virus that targets companies and organizations worldwide

TFlower ransomware is a type of malware that locks all files and aims to extort money from users for the decryption tool that would allegedly allow access to data. The sample of the virus was first spotted by security researcher GrujaRS at the end of July 2019, and it does not seem to have any connections to other ransomware families.
It is yet unknown what distribution methods TFlower virus operators use, although the most common delivery techniques include spam email attachments, exploit kits, brute-force attacks, malicious installers, fake updates, web injects, etc. Once inside, the malware scans the local as well as network drives for files and then locks them using a sophisticated encryption algorithm.[1] Unlike most of the ransomware, TFlower does not append any extensions to documents, databases, pictures or other files.
However, TFlower ransomware does leave a ransom note called !_Notice_!.txt – a message from hackers which explains that enter a specific website via the Tor browser and pay 15 Bitcoins for the decryptor. Additionally, threat actors also provide contact email, which is flowerboard@torguard.tg. Judging from the ransom note, TFlower ransomware targets various organizations, although it does not mean that regular users cannot be infected.
| Name | TFlower |
| Type | Ransomware |
| Family | No known connections to other malware families |
| File extension | None |
| Ransom note | !_Notice_!.txt |
| Ransom size | 15 BTC |
| Contact | flowerboard@torguard.tg |
| File decryption | Only possible via backups or third-party tools |
| Removal | Terminate the virus by scanning your computer with reputable anti-malware software |
| Recovery | To repair malware damaged files, scan your computer with FortectIntego |
Malicious actors also offer a one-offer a free decryption service that is meant to give victims a false sense of reassurance that the files will be recovered as soon as the ransom will be paid. However, company representatives, as well as regular users, should avoid contacting cybercriminals and rather focus on TFlower ransomware removal, as well as alternative data recovery solutions.
Before TFlower ransomware proceeds with data locking process, it needs to establish itself on the host computer. For that, the malware makes significant operating system modifications within Windows registry and other sections. In such a way, the virus can perform the encryption without interruption and run in the background every time Windows is booted. Additionally, just like most of the ransomware viruses, TFlower also deletes Shadow Volume copies to prevent easy recovery.
As soon as all the data is locked, TFlower ransomware drops the following message:
IMPORTANT NOTICE THAT IS URGENT AND TRUE IMPORTANT NOTICE THAT IS URGENT AND TRUE =========================================
Dear Sir/Ma,
Sorry to inform you but many files of your COMPANY has just been ENCRYPTED with a STRONG key.This simply means that you will not be able to use your files until is is decrypted by the same key used in encrypting it.TO get the DECRYPT TOOL for your COMPANY, you have to make payment to us so as to recover your files.You have to pay sum of 15BTC to bitcoin address below:
BITCOIN ADDRESS:->> 14nfYK5frS6Jb4B3mthRffTQuTFfeM9un3NOTE
=========================================
You may upload 1 of your encrypted files to test the decryption for free.But, the file should not contain any valuable information.All the operations can be done at following web site.
WEBSITE:=>> [redacted]
E-MAIL :=>> flowerboard@torguard.tg
Security experts[2] recommend staying away from cybercriminals, as there is no guarantee that hackers will eventually provide the promised decryption tool. Instead, remove TFlower ransomware from the infected computer by using security software and then proceed with the file recovery process. To fix virus damage, scan your system with FortectIntego.

Ransomware uses various methods to get into your computer – use adequate protection
Since ransomware has become one of the most lucrative malware families,[3] cybercriminals continually look for new ways to deploy the virus in order to infect more victims and obtain more money. One of the best examples would be REvil or Sodinokibi – this malware strain was introduced right after GandCrab was shut down, and is now making rounds by employing a variety of distribution techniques.
To protect yourself from such attacks, you should:
- Employ a reputable anti-malware program and keep it updated;
- Patch Windows OS along with all the installed programs with security updates once they are released;
- Enable Firewall;
- Install ad-blocker;
- Stay away from spam email attachments – even if they seem to be reputable;
- Refrain from downloading pirated software and cracks;
- Avoid high-risk websites, such as torrent, porn, gambling, etc.;
- Enable two-factor authentication where possible and use strong passwords;
- Do not use default RDP (Remote Desktop) port.
Finally, make sure your company or your own personal files are always backed on a remote virtual server or external drive.
Remove TFlower ransomware to protect new files from being encrypted
To remove TFlower ransomware, you will have to scan the infected computer and the whole network (if connected) with anti-malware software. Be aware that not all AV detect the virus,[4] although the detection rate usually increases over time. Therefore, make sure you employ security software that can locate and terminate the infection. In case ransomware prevents anti-malware software from working correctly, access Safe Mode as explained below.

Once TFlower ransomware removal is complete, you can connect your backup device or upload files from a virtual environment. It is vital to delete the infection before proceeding with file recovery because all the backups would be immediately encrypted otherwise.
If you did not prepare any backups, chances of retrieving data are relatively low. Nevertheless, you can check our alternative solution guide below – some third-party software might be able to help.
Was this guide helpful?
Be the first to comment