Ransomware TellYouThePass is Back as Cross-Platform Threat from Golang

Ransomware TellYouThePass is Back as Cross-Platform Threat from Golang

TellYouThePass ransomware has resurfaced as Golang-compiled malware, allowing it to target a wider range of operating systems, including macOS and Linux. Last month, threat actors exploited it in concert with the Log4Shell vulnerability to attack susceptible devices, signaling the reappearance of this malware strain. Crowdstrike has released research that delves deeper into this comeback, concentrating on code-level modifications that make it simpler to build for systems other than Windows.

Golang is a cross-platform programming language that malware developers initially embraced in 2019. Furthermore, Golang allows the packaging of required libraries into a single binary file, resulting in a reduced command and control (C2) server footprint and lower detection rates. It’s also less challenging to learn than other programming languages, such as Python, and comes with current debugging and plugin tools to simplify the development process. The Glupteba botnet, destroyed last month by Google’s security experts, is a famous example of effective Golang malware.

According to Crowdstrike analysts, the Linux and Windows versions of TellYouThePass have a coding resemblance of 85%, demonstrating the minor changes required to let the ransomware execute on other operating systems. The randomization of the names of all functions saves the ‘main’ one, which seeks to defy investigation, is one notable modification in the current variants of the ransomware. TellYouThePass disables processes and services that might jeopardize the encryption process or result in incomplete encryption, such as email clients, database programs, web servers, and document editors, before starting the encryption procedure.

Furthermore, specific folders are not encrypted to prevent the system from becoming unbootable and, therefore, wasting any chance of compensation. In exchange for the decryption tool, the ransom letter dropped in the latest TellYouThePass attacks requests 0.05 Bitcoin, which currently converts to around $2,150. The RSA-2014 and AES-256 algorithms are used in the encryption method, and there is no free decryptor accessible. At this time, no macOS samples have been discovered.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: