Canadian Centre for Cyber Security Releases Advisory on TFlower Ransomware Campaign

• The Canadian Centre for Cyber Security (CCCS) has released an advisory on the new TFlower ransomware campaign.
• The advisory outlines the assessment and actions in the context of this malware.

The Canadian Centre for Cyber Security (Cyber Centre) offers guidance and support with regard to cybersecurity for the Canadian public and government, among others.

The context

TFlower is a ransomware that was discovered on 30 July 2019. It primarily spreads through unpatched Remote Desktop services.

• This ransomware is also known to infect through malicious attachments in emails, ads, botnets, downloads, hoax updates, and web injects.
• Once it infects a system, it propagates through the network by using tools including PowerShell and PSExec.
• After contacting the command-and-control (C2) server about its readiness, the ransomware proceeds to delete shadow copies and encrypt files.
• The encrypted files will contain ‘*tflower’ marker at the beginning, but the filenames will remain unchanged.
• Then a ransom note, ‘!_Notice_!.txt’ will be placed on the WIndows desktop and throughout the computer.

“The Cyber Centre has become aware of this ransomware recently affecting the Canadian public,” states the advisory.

Recommended actions

The advisory suggests a number of actions to stay safe including applying the latest security patches and exercising caution when clicking links or opening documents from unverified sources.

• If not required, disable Remote Desktop Services. If enabled, closely monitor logs and network traffic for suspicious activity.
• Update antivirus software and whitelist authorized applications.
• Restrict the number of users with administrative privileges and ensure other users don’t have permissions to install software on devices without authorization.
• Disable macros for documents that are received over email.
• Ensure that you attentively monitor the domains associated with the TFlower ransomware campaign.