TellYouThePass ransomware returns as cross-platform Golang threat

TellYouThePass ransomware has re-emerged as malware compiled by Golang, making it easier to target more operating systems, macOS and Linux in particular.

The return of this malware strain was noticed last month, when hackers used it in conjunction with the Log4Shell exploit to target vulnerable machines.

Now, a report from Crowdstrike sheds more light on that feedback, focusing on code-level changes that make it easier to compile for platforms other than Windows.

Why Golang?

Golang is a programming language first adopted by malware writers in 2019 due to its cross-platform versatility.

Additionally, Golang allows dependency libraries to be bundled into a single binary file, which reduces the footprint of command and control (C2) server communications, thereby reducing detection rates.

It is also easier to learn than other programming languages, for example Python, and offers modern debugging and plug-in tools that simplify the programming process.

A notable example of successful malware written in Golang is the Glupteba botnet, which was shut down last month by Google security specialists.

New TellYouThePass Samples

Crowdstrike analysts report an 85% code similarity between Linux and Windows samples from TellYouThePass, showing the minimal tweaks needed for the ransomware to run on different operating systems.

Functions on Windows and Linux samples
Functions on Windows and Linux samples
Source: Crowdstrike

A notable change in the latest ransomware samples is the randomization of the names of all functions except the “main” one, which attempts to thwart the scan.

Before running the encryption routine, TellYouThePass kills tasks and services that could compromise the process or cause incomplete encryption, such as email clients, database applications, web servers, and document editors.

Also, some directories are excluded from encryption to avoid making the system unbootable and thus losing any chance of getting paid.

List of directories excluded from encryption
Directories excluded from encryption
Source: Crowdstrike

The ransom note dropped during recent TellYouThePass infections demands 0.05 Bitcoin, currently converting to around $2,150, in exchange for the decryption tool.

Ransom note dropped in recent attacks
Ransom note dropped in recent attacks
Source: Crowdstrike

The encryption scheme uses RSA-2014 and AES-256 algorithms, and there is no free decryptor available.

At this time, macOS samples have not been spotted.

About Jon Moses

Check Also

NSA, CISA say: don’t block PowerShell, here’s what to do instead

Image: Getty Images/iStockphoto Cybersecurity authorities in the United States, United Kingdom, and New Zealand have …