Skip to content ↓ | Skip to navigation ↓

A new crypto-ransomware threat called “TFlower” is targeting corporate environments via exposed Remote Desktop Services (RDS).

First discovered in August, the ransomware makes its way onto a corporate network after attackers hack into a machine’s exposed Remote Desktop Services. This attack vector enables bad actors to infect the local machine with TFlower. At that point, malefactors can attempt to move throughout the network and generate even more infections using PowerShell Empire and other tools.

In either case, the way in which TFlower works is the same. As Bleeping Computer explains:

When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer. It then connects back to the command and control server in order to give a status check that it has started encrypting a computer. In one of the samples…, this C2 is located on a hacked wordpress site….

The ransomware then attempts to delete shadow volume copies and disable the Windows 10 repair environment. If successful, these steps prevent the victim from recovering their data on their own.

At that point, TFlower begins encrypting data on the computer save for files stored in the Windows and Sample Music folders. It does not add a file extension like other ransomware families. Instead, it preprends a *tflower marker along with what appears to be an encrypted encryption key for the file.

Once it has completed its encryption routine, the threat sends a status update to its C&C. It also drops ransom notes throughout the computer and on the infected machine’s desktop. This message instructs victims to contact a certain email address for payment instructions for an unspecified ransom amount.

A copy of the TFlower ransom note

TFlower falls into a trend of digital attackers increasingly targeting businesses and government agencies with ransomware. To do this, nefarious individuals aren’t just leveraging RDS to target organizations. Per ProPublica, bad actors are increasingly going after managed service providers (MSPs) in order to infiltrate dozens if not hundreds of businesses at once. Such was the case in late-August 2019 when Percsoft and the Digital Dental Record, two organizations that provide online services to hundreds of dental offices throughout the United States, suffered ransomware attacks.

As of its research, Bleeping Computer knows of no flaws in TFlower’s encryption routine through which victims can recover their files for free. This highlights the importance of users and organizations alike taking steps to prevent a ransomware infection in the first place. This resource is a good place to start.