While the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world.
One of the most recent entrants into the ransomware family is a new strain called “TFlower”, which made its first appearance in August of this year (2019). Since that time, it has begun seeing increasingly widespread use, so if this is the first time you’re hearing about it, know that it likely won’t be the last.
TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services. Once the hackers have a toehold inside a company’s network, they’ll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it’s encrypting their files. In this case, it will display a PowerShell Window that makes it appear that some harmless software is being deployed.
While it’s encrypting a victim’s files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means. Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.
When the software has done as much damage as it can do, it will litter the infected computer with a file named “!_Notice_!.txt” which explains that the computer’s files have been encrypted and in order to get them back, you’ll need to contact the malware owners at the email address provided for additional details.
Be sure your IT staff is aware, and given how this one is spread, check the security of your Remote Desktop services.