New Ransomware Called TFlower Hacks Into Company Networks - Olmec Skip to main content

New Ransomware Called TFlower Hacks Into Company Networks

By September 24, 2019May 16th, 2022Cybersecurity

Over the last two years, ransomware attacks have become increasingly common against businesses of all shapes and sizes.

While the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world.

One of the most recent entrants into the ransomware family is a new strain called “TFlower”, which made its first appearance in August of this year (2019).  Since that time, it has begun seeing increasingly widespread use, so if this is the first time you’re hearing about it, know that it likely won’t be the last.

TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services.  Once the hackers have a toehold inside a company’s network, they’ll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it’s encrypting their files.  In this case, it will display a PowerShell Window that makes it appear that some harmless software is being deployed.

While it’s encrypting a victim’s files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means.  Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.

When the software has done as much damage as it can do, it will litter the infected computer with a file named “!_Notice_!.txt” which explains that the computer’s files have been encrypted and in order to get them back, you’ll need to contact the malware owners at the email address provided for additional details.

Be sure your IT staff is aware, and given how this one is spread, check the security of your Remote Desktop services.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.