LTS Secure Warning: Threat Actors Deploying TFlower Ransomware On Corporate network Via Exposed RDS

TFlower, a new crypto-ransomware has been spotted targeting corporate network via exposed Remote Desktop Services (RDS). Attackers hack into systems with exposed RDP services, infecting them with TFlower and then attempt to move throughout the network, further spreading the infection using tools like PSExec, PowerShell Empire.  

 

Technical Details

Infection Process of TFlower Ransomware:-

  • Exposed RDP services are being utilized by attackers to gain access to system.
  • Then the TFlower ransomware is being deployed, utilizing tools like PSExec, PowerShell Empire, etc.
  • Upon execution of the ransomware, a console pop’s up, displaying the activities being performed by the ransomware.
  • Next, it communicates with its command and control (C&C) server, informing that the encryption process has started.
  • Further, outlook.exe process (if running), is terminated in order to encrypt its data files.
  • Files in the windows and sample music folder are skipped.
  • Once the encryption process is complete, it disables windows repair environment and then attempts to delete any shadow copies present.
  • The ransomware does not add extension to the encrypted files like other ransomwares. Rather, the files are prepend with *tflower marker along with the encrypted encryption key of the file.

 

Impact

  • Downtime in Business Critical operations.
  • Permanent loss of Sensitive/Confidential data.
  • Operational and financial loss to the Business/Individual.

 

Recommended Actions

  • Take system back-ups on regular intervals.
  • Disabling remote services to limit the attack surface.
  • Disabling task automation framework like Windows PowerShell.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.