What’s new?
Researchers have uncovered a new ransomware dubbed ‘Tflower’ that targets corporate environments. It is distributed to corporate networks via exposed Remote Desktop services.
Modus Operandi
Malware operators hack exposed Remote Desktop services and then install the Tflower ransomware onto corporate networks.
After completing the encryption process, it will send another status update to its C&C server in the form of:
https://www[.]domain[.]com/wp-includes/wp-merge.php?name=[computer_name]&state=success%20[encrypted_file_count],%20retry%20[retried_file_count]
The ransom note
Tflower ransomware also drops a ransom note named ‘!_Notice_!.txt’ on the computer and the Windows desktop. This ransom note will instruct victims to contact the flower.harris@protonmail[.]com or flower.harris@tutanota[.]com email addresses for payment instructions.
“Dear Sir/Ma,
Sorry to inform you but many files of your computer has just been ENCRYPTED with a STRONG key. This simply means that you will not be able to use your files until it is decrypted by a same key used in encrypting it.
To get the decryptor tool for your COMPANY, you have to make payment to us so as to recover your files,” the ransom note read, BleepingComputer reported.
Publisher