New Tflower ransomware gets installed on corporate networks via exposed RDP services

• Malware operators hack exposed Remote Desktop services and then install the Tflower ransomware onto corporate networks.
• Once the files are encrypted, the ransomware will prepend the *tflower marker instead of appending an extension to the encrypted files.

What’s new?

Researchers have uncovered a new ransomware dubbed ‘Tflower’ that targets corporate environments. It is distributed to corporate networks via exposed Remote Desktop services.

Modus Operandi

Malware operators hack exposed Remote Desktop services and then install the Tflower ransomware onto corporate networks.

• Once the attackers gain access to the machine via exposed RDP services, they will infect the machine with the ransomware using tools such as PowerShell Empire, PSExec, etc.
• Once Tflower gets executed, it will display a console that shows the activity being performed by the ransomware.
• The ransomware then communicates with its C&C server and gives a status check that it has started encrypting the computer.
• Tflower scans for and terminates the Outlook.exe process in order to allow its data files to be open for encrypting.
• While encrypting the data on the computer, Tflower skips any files in the Windows or Sample Music folders.
• After encrypting the files, it will delete the Shadow Volume Copies and execute commands that disable the Windows 10 repair environment.
• Once the files are encrypted, it will prepend the *tflower marker instead of appending an extension to the encrypted files.

After completing the encryption process, it will send another status update to its C&C server in the form of:

https://www[.]domain[.]com/wp-includes/wp-merge.php?name=[computer_name]&state=success%20[encrypted_file_count],%20retry%20[retried_file_count]

The ransom note

Tflower ransomware also drops a ransom note named ‘!_Notice_!.txt’ on the computer and the Windows desktop. This ransom note will instruct victims to contact the flower.harris@protonmail[.]com or flower.harris@tutanota[.]com email addresses for payment instructions.

“Dear Sir/Ma,

Sorry to inform you but many files of your computer has just been ENCRYPTED with a STRONG key. This simply means that you will not be able to use your files until it is decrypted by a same key used in encrypting it.

To get the decryptor tool for your COMPANY, you have to make payment to us so as to recover your files,” the ransom note read, BleepingComputer reported.