A new crypto-ransomware threat called “TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS).

First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, malefactors can attempt to move throughout the network and generate even more infections using PowerShell Empire and other tools.

In either case, the way in which TFlower works is the same. As Bleeping Computer explains:

When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer. It then connects back to the command and control server in order to give a status check that it has started encrypting a computer. In one of the samples…, this C2 is located on a hacked wordpress site….

The ransomware then attempts to delete shadow volume copies and disable the Windows 10 repair environment. If successful, these steps prevent the victim from recovering their data on their own.

At that point, TFlower begins encrypting data on the computer save for files stored in the Windows and Sample Music folders. It does not add a file extension like other ransomware families. Instead, it preprends a *tflower marker along with what appears to be an encrypted encryption key for the file.

Once it has completed its encryption routine, the threat sends a status update to its C&C. It also drops ransom notes throughout the computer and on the infected machine’s desktop. This message instructs victims to contact a certain email address for payment instructions for an unspecified ransom amount.

A copy of the TFlower ransom note

TFlower falls into a trend of digital attackers increasingly targeting businesses and government (Read more...)