TFlower Ransomware - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

TFlower Ransomware

TFlower ransomware, which was discovered in early August, was originally thought to be just another generic ransomware but industry sources are seeing its use on the rise and specifically targeting businesses. With huge ransom payments being sent to attackers, developers are taking advantage and writing malware to target businesses and government agencies. TFlower is being spread to networks after a hacker successfully hacks Remote Desktop services. Once an attacker gains access to the Remote Desktop service, they will infect the local machine and attempt to spread through the network using tools such as PowerShell Empire or PSExec. When executed, TSFlower displays a console that shows its activity and then connects back to its Command and Control (C2) server to give a status check. In one instance, the C2 server appears to be located on a hacked WordPress site. The ransomware attempts to clear certain files and executes commands to disable Windows 10 repair utilities. Once those tasks are completed, it begins encrypting data on the computer and send a second status update to the C2 server. Once the encryption is complete, a ransom note is displayed that shows instructions on how and where to pay the ransom.

ANALYST NOTES

If Remote Desktop Protocols (RDP) is not being used, that particular process should be shut down. Even if RDP’s are used, they should be closed when not in use. When in use, they should be run behind a VPN to mask the original IP address.

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.