TFlower ransomware, which was discovered in early August, was originally thought to be just another generic ransomware but industry sources are seeing its use on the rise and specifically targeting businesses. With huge ransom payments being sent to attackers, developers are taking advantage and writing malware to target businesses and government agencies. TFlower is being spread to networks after a hacker successfully hacks Remote Desktop services. Once an attacker gains access to the Remote Desktop service, they will infect the local machine and attempt to spread through the network using tools such as PowerShell Empire or PSExec. When executed, TSFlower displays a console that shows its activity and then connects back to its Command and Control (C2) server to give a status check. In one instance, the C2 server appears to be located on a hacked WordPress site. The ransomware attempts to clear certain files and executes commands to disable Windows 10 repair utilities. Once those tasks are completed, it begins encrypting data on the computer and send a second status update to the C2 server. Once the encryption is complete, a ransom note is displayed that shows instructions on how and where to pay the ransom.
Analyst Notes
If Remote Desktop Protocols (RDP) is not being used, that particular process should be shut down. Even if RDP’s are used, they should be closed when not in use. When in use, they should be run behind a VPN to mask the original IP address.
