TXTME Ransomware: A Digital Kidnapper Hiding in Plain Sight
Table of Contents
What Is TXTME Ransomware?
Another addition to the infamous Dharma ransomware family has surfaced, called TXTME. TXTME follows a now-familiar but still dangerous pattern of operation: it encrypts files on a victim's system and demands payment in exchange for access. Once it infects a device, the ransomware alters all affected file names by appending a unique victim ID, one of two contact emails, and the ".TXTME" extension. For example, "photo.jpg" becomes something like "photo.jpg.id-9ECFA84E.[ownercall@tuta.io].TXTME."
Upon encryption, the ransomware leaves behind two types of ransom notes: a pop-up notification and a text file titled TXTME.txt. Both messages inform the victim that their data is now inaccessible and offer a "solution"—email the attacker and prepare to pay a ransom in Bitcoin. The notes also warn against tampering with the encrypted files or using outside recovery tools, threatening permanent data loss if the victim tries to take matters into their own hands.
Here's what the ransom note says:
All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: ownercall@tuta.io YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:ownercall@mailum.com
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain BitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Understanding Ransomware Attacks
Ransomware like TXTME is a type of malicious software specifically designed to hold data hostage. After gaining access to a system, it encrypts files, locking users out of their information. Victims are then given instructions to pay a ransom, typically in cryptocurrency, to receive a decryption key. However, cybersecurity experts consistently warn against paying. There's no guarantee the criminals will provide the decryption tool, and paying only fuels the cycle of future attacks.
These attacks can have serious consequences, especially for businesses or institutions with sensitive or irreplaceable data. The risk of data loss, service disruption, and financial damage is high. Fortunately, the best defense is preparation: regularly backing up data to offline or remote locations significantly reduces the impact of a ransomware attack.
What Makes TXTME Different?
TXTME isn't just a simple file locker. It's engineered for deeper disruption and persistence. Once active, it disables the system firewall and deletes Volume Shadow Copies, which Windows typically uses for system restoration and file recovery. This makes it much harder for users to recover files without paying the ransom.
The malware also ensures it remains on the infected machine by copying itself to the %LOCALAPPDATA% directory and editing Windows registry keys to start every time the system boots. It even collects location data to avoid infecting systems in certain regions, suggesting that its operators want to steer clear of particular countries—possibly to evade legal consequences or avoid scrutiny from authorities in their jurisdictions.
How TXTME Spreads
The exact methods of TXTME's distribution are still under investigation, but it likely spreads through exposed Remote Desktop Protocol (RDP) services. Attackers often use brute-force techniques to guess weak or common passwords on systems with RDP enabled. Once inside, they manually deploy the ransomware.
More broadly, ransomware is commonly delivered through phishing emails, malicious attachments, fake software updates, compromised websites, or bundled with pirated software. It can also spread through USB drives, infected installers, or vulnerabilities in outdated software. The threat landscape is constantly evolving, making vigilance essential.
Prevention and Best Practices
The best way to protect against ransomware like TXTME is through a mix of proactive security measures and awareness. Start by disabling RDP if it's not necessary. For systems where RDP is essential, use strong, complex passwords and enable multi-factor authentication. Keep all software, operating systems, and security tools up to date with the latest patches.
Be cautious when handling email attachments or clicking on links, especially when they come from unfamiliar sources. Refrain from downloading software from untrusted websites or using cracked versions of legitimate programs. These common vectors are how ransomware frequently slips past defenses.
The Importance of Backups
Backups remain one of the strongest countermeasures to ransomware. Keeping copies of important files on a separate device or a secure cloud service can drastically reduce the damage. In the event of an attack, systems can be wiped and restored without needing to engage with the attacker.
However, backups should be disconnected from the main system when not in use, as many ransomware strains attempt to find and encrypt attached backup drives as well. Scheduled, automatic backups with proper version control offer the most resilience.
Final Thoughts
TXTME reminds everyone that ransomware threats continue to evolve and adapt. While its methods echo other strains in the Dharma family, its tailored features—such as system persistence, firewall disabling, and targeted regional avoidance—show a sophisticated level of planning.
Cybercriminals are constantly looking for new ways to exploit vulnerabilities, but staying informed and maintaining good cyber hygiene can make a significant difference. By understanding how threats like TXTME operate, users and organizations can better prepare, respond, and recover—without falling into the trap of paying a digital ransom.
