The TFlower Ransomware – A New Threat to Corporate Networks

November 15, 2019
tflower ransomware hacking malware

Since 2017, the amount of ransomware incidences have become increasingly rampant and progressive. TFlower Ransomware concentrated their assaults against company networks, infiltrating the very core of everyday business operations.


There was a slight decline in the number of attacks from last year but came 2019, these business-targeting malwares have accelerated their assault in a manner similar to that of getting revenge. Newly discovered strains of ransomwares have been seen already and there are some that are most likely being developed by hackers to be supercharged and equipped with more robust programming to bring about an assault against larger, more brutal money-making campaign.


One of the most recent addition into this lethal family of ransomware, discovered just a month ago is the TFlower. It has been seen and recorded by security researchers being used actively in the wild. So in case you are finding out about it just now, sorry to tell you, it’s just in the beginning of its life and it does not show any signs of stopping or slowing down.


The TFlower is being used by hackers to infiltrate a corporate network system by utilizing vulnerabilities from unprotected Remote Desktop Terminals. Once inside the network, it will first ensure that all other nearby terminals or machines within the first layer of that network are either cloned or infected. This gives it a secure foothold in case the first line of protection kicks in.


Once it has established its roots, The TFlower then scrambles to divert the users of the infected terminals into thinking that there is some critical patch or security command being executed on the background. It does that by connecting to the Command & Control Servers to trick the network administrators and other users into thinking that a scheduled encryption or software is being deployed harmlessly. A Powershell window will popup even showing progress of the supposedly harmless update.


Subsequently, hidden in the background, while the TFlower is performing “legitimate” updates on the victims’ machines, it works even doubly hard to delete and clear-out backups of the system, including shadow copies of the operating hard drive system. And to make matters even worse, Windows 10 users will have their repair option totally disabled or unavailable.


And if you’re thinking of sending off your documents over to a personal email or backup email address, just by way of salvaging your important files, sorry but you won’t be able to. TFlower is also way ahead and have most likely disabled the “Outlook.exe” function procedure and have encrypted all your important files and documents – making sure you won’t be able to use or recover them easily.


Once TFlower Ransomware is done with its assault, once it has incapacitated you and your machine, it will simply leave you a note on your PC with a file named “!_Notice_!.txt” which tells you right in your face that you have just become a victim. And now you won’t be able to acquire the contents of your machine, but if you really need to , you will have to reach out to the hackers at the contact details they have provided on that file for more details on how to recover everything.


Scary, I know, so make sure your Network Admins, your IT Staff is aware and ensure that your company has all the essential security on your corporate networks to stave off these kind of attacks.

About the author

Leave a Reply