The Canadian Centre for Cyber Security (CCCS) has issued an advisory about TFlower, a ransomware variant that may infect users via exposed, unpatched Remote Desktop Protocol (RDP) services.
TFlower was discovered July 30, and it uses a variety of infection vectors to attack victims. In addition to RDP services, TFlower's infection vectors include:
- Email spam and malicious attachments.
- Deceptive downloads.
- Botnets.
- Web injects.
- Malicious ads.
- Fake updates.
- Repackaged and infected installers.
After a TFlower malicious actor infects a system, it attempts to move laterally across a network, CCCS said. The malware then contacts a command-and-control server, encrypts system contents, deletes shadow copies and disables Windows recovery features.
TFlower finally encrypts files and marks them by inserting the string "*tflower" at the beginning of the file, CCCS noted. It also leaves a ransom note named “!_Notice_!.txt.”
How to Combat TFlower Attacks
CCCS offered a variety of tips to combat TFlower attacks, including:
- Install operating system updates.
- Disable remote desktop services if they are not required.
- Activate network level authentication across Windows devices.
- Avoid opening attachments from unknown or unverified sources.
- Whitelist applications to prevent unauthorized applications from running.
- Limit the number of users with administrative privileges.
- Disable macros for documents received via email.
MSSPs also can provide malware analysis and detection services to protect organizations against TFlower and other malware attacks. That way, MSSPs can help organizations keep pace with evolving cyberattacks.
