The TellYouThePass ransomware has resurfaced, this time with the addition of a Golang compilation to its malicious infrastructure. This makes it possible for the ransomware to attack operating systems other than Windows.
The ransomware TellYouThePass, first found in 2019, has recently resurfaced, this time packaged in Golang. Golang’s popularity among malware developers makes cross-platform development more accessible.
TellYouThePass ransomware, which targets Windows and Linux, was recently linked to Log4Shell post-exploitation.
The CrowdStrike Falcon® platform uses machine learning and behavior-based detection to defend customers from the Golang-written TellYouThePass ransomware.
The TellYouThePass ransomware family was recently identified as a post-exploitation harmful payload used in conjunction with the Apache Log4j library’s Log4Shell remote code execution vulnerability.
TellYouThePass was initially discovered in early 2019 as a ransomware programme that encrypts files and demands payment to restore them. TellYouThePass ransomware, which targets both Windows and Linux systems, resurfaced in mid-December 2021, together with other ransomware such as Khonsari. As a post-exploitation payload associated with the Log4Shell, this lesser-known ransomware family resurfaced. Affected firms are expected to face a slew of cybersecurity threats as a result of the remote code execution vulnerability.
TellYouThePass ransomware samples previously known were written in traditional programming languages like Java or.Net, however two new versions recently discovered in public repositories were not.
The use of Golang among malware makers has significantly risen in recent years. It enables them to work on cross-platform development by allowing them to use the same codebase and compile it for all main operating systems.
The next sections go over the new TellYouThePass ransomware samples written in Golang for Windows and Linux, as well as how the CrowdStrike Falcon platform safeguards against them.
The triumphant return
According to a Crowdstrike analysis, TellYouThePass has undergone code changes that make it easier to compile for systems including macOS and Linux.
The Linux and Windows TellYouThePass examples have an 85 percent code resemblance, according to researchers.
They also noticed a number of other modifications, including the usage of a new encryption technique.
This ransomware employs the AES-256/RSA-2014 encryption techniques, and there is no free decryptor accessible.
For the decryption tool, the ransom note seeks 0.05 Bitcoin, which is currently worth roughly $2,150.
The RSA key is generated using the Golang Crypto Packages, which is notable.
What else has happened recently?
The names of all functions except the “main” function have been randomised in the most recent samples, which thwarts the analysis.
Before beginning the encryption process, the ransomware eliminates any processes or services that could disrupt it, such as email clients, web servers, document editors, and database software.
Furthermore, some directories are not encrypted to prevent the system from becoming unbootable.
An introduction to the actor
TellYouThePass is a ransomware with a financial motive that was first discovered in 2019.
It was created with the intention of being used on Windows-based devices.
The ransomware was recently discovered using Log4Shell, a serious remote code execution weakness, in its attacks.
The recent creation of the TellYouThePass ransomware demonstrates how thieves are employing new languages to enhance the capabilities of their assaults. The malware now targets a variety of operating systems, making it more adaptable. Furthermore, these changes suggest that the malware’s operators intend to increase their investment in the malware in the near future.