A new ransomware dubbed TFlower has been targeting corporate environments via exposed remote desktop services (RDS).
The TFlower threat was first discovered in the wild in August. According to a report in Bleeping Computer, evidence suggests that TFlower activity has been picking up. Hackers are likely looking to take advantage in the surge in high ransoms.
Attackers first target systems with RDS exposed to the public internet. Once the hackers compromise and infect the system, they can then pivot and scan for other insecure systems on the network using tools like PowerShell or PSExec.
In the next step of the attack, the compromised system will connect to a command and control (C2) system to give status check on the progress of the ransomware encrypting the target computer.
The malware also clears the Windows 10 Shadow Volume Copies and then disables the computer’s ability to repair itself.
Finally, the TFlower ransomware leaves a note behind on the victim’s system called “!_Notice_!.txt“. The note includes payment instructions needed to recover the encrypted files.
Security experts have long warned of the dangers of having unprotected RDS ports open on the internet. Readers can also check out related article “Top 3 AWS security configuration mistakes.”