TFlower Ransomware
Over the last two years, ransomware attacks have become increasingly common against businesses of all shapes and sizes. And, while the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world. A new ransomware strain called "TFlower", has made its first appearance in August of this year (2019). Since that time, it has begun seeing increasingly widespread use, so if this is the first time you're hearing about it, know that it likely won't be the last.
TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services. Once the hackers have a toehold inside a company's network, they'll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it's encrypting their files. Displaying a PowerShell Window making it appear that some harmless software is being deployed.
While it's encrypting a victim's files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means. Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.
After the software has done damage, it will litter the infected computer with a file named "!_Notice_!.txt." The file explains that encryption of the computer's files has taken place. To get them back, you'll need to contact the malware owners at the email address provided for additional details.
IT staff should be aware of how this spread and to check the security of your Remote Desktop Services.
Leave a comment!