News

Researchers say about growing activity of TFlower, another ransomware that uses RDP

According to Bleeping Computer, the activity of TFlower, a ransomware that uses RDP and is focused on corporate networks, has begun to gain momentum.

The malware arrived in late July and installs into the system after a hacker attack aimed gaining access to the Remote Desktop service.

“With the huge payments being earned by ransomware developers as they target businesses and government agencies, it is not surprising to see new ransomware being developed to take advantage of this surge in high ransoms. Such is the case with the TFlower ransomware”, — report Bleeping Computer journalists.

Currently, TFlower is distributed to victims as a chilli.exe file and encrypts data using the AES algorithm in CBC mode. It also able to remove shadow copies of Windows, disable the recovery tools for Windows 10 and force shut down the Outlook.exe process to get to its files.

The malware encryption process displays in the console; and having started this task, it connects to the control center and updates his status. Searching and converting the victim’s files, TFlower bypasses the Windows folder and the “Samples of music” (location – C:\Users\Public\Public Music\Sample Music).

The rookie does not have his own extension for encrypted files, he only adds the *tflower token and the encryption key to them. After completing its work, the malware reports this to the C&C server, and on the infected machine messages appear asking for ransom !_Notice_!.txt – in all folders with modified files and on the desktop.

For instructions on recovering files, ransomware offers to contact them by email using @protonmail.com or @tutanota.com.

When TFlower debuted, its overlords charged 15 bitcoins per decryption key. Since the end of August, they ceased to indicate the size of the ransom in their messages. It is currently impossible to return files without paying a ransom: analysts are studying malicious code, but have not yet discovered vulnerabilities in the encryption system.

Internet-accessible RDP services as an attack vector are very popular with distributors of encryption programs targeting corporate environment. SamSam, Scarabey, Matrix, Dharma and Nemty this year, used a similar method of infection.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Chernars.com Pop-up Ads

About Chernars.com Chernars.com pop-ups can not open out of nowhere. If you have actually clicked…

22 hours ago

Remove Eclipse-adblocker.pro Pop-up Ads

About Eclipse-adblocker.pro Eclipse-adblocker.pro pop-ups can not open out of nowhere. If you have actually clicked…

22 hours ago

Remove Initiateadvancedcompletelythe-file.top Pop-up Ads

About Initiateadvancedcompletelythe-file.top Initiateadvancedcompletelythe-file.top pop-ups can not open out of nowhere. If you have actually clicked…

22 hours ago

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

4 days ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

4 days ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

4 days ago