Frequently Asked Questions
TellYouThePass Ransomware – Technical Analysis & Threat Details
What is TellYouThePass ransomware and why is it significant?
TellYouThePass is a ransomware strain that has resurfaced with a modern reinterpretation, leveraging the Golang programming language for cross-platform functionality on both Windows and Linux. Its significance lies in its adaptability, advanced encryption methods, and ability to target a wide range of file types and critical applications, making it a formidable threat to organizations operating in diverse environments. [Source]
How does TellYouThePass achieve cross-platform functionality?
TellYouThePass is written in Golang, which allows it to compile binaries for both Windows and Linux. Analysts found over 85% code similarity between samples for the two platforms, demonstrating its adaptability and making it harder to defend against in mixed-OS environments. [Source]
What encryption methods does TellYouThePass use?
TellYouThePass employs Golang Crypto Packages to handle encryption keys, using RSA-1024 for asymmetric encryption and AES-256 for symmetric encryption. It utilizes functions like crypto_x509_MarshalPKCS1PrivateKey and encoding_pem_EncodeToMemory to manage and encode keys securely. [Source]
Which processes and services does TellYouThePass target before encryption?
Before initiating encryption, TellYouThePass kills processes and services related to databases, email clients, and antivirus software. On Windows, it uses cmd.exe commands like taskkill and schtasks to terminate processes such as msftesql.exe and sqlservr.exe. On Linux, it executes commands via /bin/bash/ to stop services like MySQL and PostgreSQL. [Source]
What directories does TellYouThePass exclude from encryption?
To maintain system operability, TellYouThePass excludes critical directories from encryption. On Windows, these include Program Files, Recycle.Bin, and System Volume Information. On Linux, it excludes /bin, /boot, /etc, and /lib. [Source]
Which file types are targeted by TellYouThePass ransomware?
TellYouThePass encrypts a wide range of file types, including documents (.docx, .xlsx), images (.jpg), databases (.sql), and archives (.zip). The paths of encrypted files are saved in encfile.txt for tracking. [Source]
How does TellYouThePass deliver ransom instructions to victims?
TellYouThePass delivers a ransom note that outlines its encryption process and instructs victims to pay 0.05 Bitcoin to a hardcoded wallet address. Each victim receives a unique personid for identification and decryption key retrieval. [Source]
What mitigation strategies are recommended against TellYouThePass ransomware?
Recommended mitigation strategies include regularly updating and patching systems, monitoring and restricting admin privileges, implementing robust backup and recovery mechanisms, and employing advanced threat detection tools to identify anomalous activity. [Source]
How does TellYouThePass mark a system as encrypted?
TellYouThePass checks for the presence of specific files like showkey.txt and public.txt in directories such as %APPDATA% (Windows) and /root/ (Linux). If encryption hasn’t occurred, these files are created to mark the system for further action. [Source]
Why does TellYouThePass exclude certain directories from encryption?
Excluding critical system directories ensures that the operating system remains functional after encryption, increasing the likelihood that victims can access the ransom note and comply with payment instructions. [Source]
How does TellYouThePass evade detection?
TellYouThePass uses obfuscated function names, leaving only the main function intact, and attackers may patch binaries to remove the 'Go build ID' string, making detection by traditional methods more difficult. [Source]
What is the impact of TellYouThePass on organizations?
The ransomware's ability to kill antivirus processes, target critical applications, and encrypt a wide range of files can lead to business disruption, data loss, reputational damage, and financial or legal consequences if not mitigated promptly. [Source]
How does TellYouThePass handle encryption keys?
TellYouThePass uses Golang Crypto Packages to generate and manage RSA-1024 and AES-256 encryption keys, converting private keys to PKCS #1 format and encoding them in PEM format for secure handling. [Source]
What is the ransom amount demanded by TellYouThePass?
Victims are instructed to pay 0.05 Bitcoin to a hardcoded wallet address to receive the decryption key. [Source]
How does TellYouThePass identify individual victims?
Each victim is assigned a unique personid, which is used for identification and to facilitate the decryption process after ransom payment. [Source]
What is the role of encfile.txt in TellYouThePass attacks?
The encfile.txt file is used to store the paths of all encrypted files, allowing the ransomware to track which files have been processed. [Source]
How does TellYouThePass affect both Windows and Linux systems?
TellYouThePass is compiled for both Windows and Linux, using platform-specific commands to kill processes and exclude directories, but maintaining over 85% code similarity for efficient cross-platform attacks. [Source]
What is the main takeaway from the TellYouThePass ransomware analysis?
The main takeaway is that ransomware is evolving in sophistication, with TellYouThePass demonstrating advanced cross-platform capabilities, robust encryption, and targeted attacks on critical applications, emphasizing the need for proactive and layered cybersecurity defenses. [Source]
Where can I find more technical resources about ransomware and exposure management?
You can find more technical resources, including whitepapers, data sheets, and integration guides, on the Cymulate Resources page. For ransomware-specific information, visit the ransomware glossary entry.
Features & Capabilities
What features does Cymulate offer for ransomware and threat exposure validation?
Cymulate provides continuous threat validation, simulating real-world ransomware and other cyber threats to test and validate defenses. The platform covers the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, with daily updated threat templates and AI-generated attack plans. [Source]
How does Cymulate's immediate threats module help organizations?
Cymulate's immediate threats module is rapidly updated to reflect new attacks, allowing organizations to quickly assess their IT estate for exposure to emerging threats and implement remedial actions. Customers praise its speed and relevance for proactive defense. [Source]
What types of threats and techniques does Cymulate simulate for endpoint security validation?
Cymulate simulates known malicious file samples, malicious behaviors, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection to validate endpoint security controls. [Source]
How does Cymulate address immediate and emerging threats?
Cymulate's immediate threats module is updated quickly to assess new attacks, enabling organizations to evaluate risk exposure and implement remedial actions promptly. This ensures simulation of the latest threats, including ransomware and other current attack vectors. [Source]
What are the core practices to combat evolving ransomware threats?
Core practices include prompt patching, least privilege, segmentation, backups, and recovery planning. For legacy systems, rigorous monitoring and containment are essential. Continuous red teaming and attack simulation, as provided by Cymulate, help verify defenses. [Source]
How do encoding and encrypting techniques help attackers bypass static and heuristic analysis?
Attackers use encoding and encrypting techniques to make malware code unreadable except under specific circumstances, preventing static analysis from identifying malicious actions. These methods challenge heuristic analysis, as code blocks do not indicate malicious intent until decrypted or unscrambled at runtime. [Source]
Where can I read about best practices for ransomware resilience?
You can read practical steps to reduce ransomware risk and improve defenses in the blog post 7 Essential Steps to Becoming Ransomware Resilient.
What is an insider threat and how does it relate to ransomware?
An insider threat is a security risk originating from within an organization, such as employees, contractors, or partners with legitimate access. Insider threats can be malicious, negligent, or compromised, and may facilitate ransomware attacks by exposing vulnerabilities or enabling unauthorized access. [Source]
What types of cyber threats does the financial services sector face?
The financial services sector faces sophisticated cyber threats, including ransomware, phishing, and advanced persistent threats (APTs), requiring robust security controls for both internal systems and customer-facing applications. [Source]
Where can I learn more about ransomware attackers and their techniques?
Learn about ransomware attackers and their methods in the ransomware glossary entry.
How can I learn more about ransomware and its prevention?
To understand ransomware and strategies for its prevention, refer to the ransomware glossary entry.
What was the potential impact of the email gateway flaw discovered by Cymulate?
The potential impact was significant, as ransomware could bypass the gateway, making the organization vulnerable to widespread infections, business disruption, data loss, reputational damage, and financial or legal consequences. [Source]
What feedback have customers given about Cymulate's immediate threats module?
Customers praise the immediate threats module for its rapid updates and ability to quickly assess risk from new attacks. A Lead Cyber Defense Engineer stated: “I am particularly enamored with the immediate threats module and how quickly this gets updated. In short if an attack is new, you can quickly assess your IT estate for how much of a risk is posed to you and implement remedial action quickly.” [Source]
What did a Penetration Tester highlight about Cymulate's immediate threats module?
A Penetration Tester praised Cymulate's immediate threats module, stating, “I am particularly enamored with the immediate threats module and how quickly this gets updated. In short if an attack is new, you can quickly assess your IT estate for how much of a risk is posed to you and implement remedial action quickly.” [Source]
Where can I watch the Threat Exposure Validation Summer Series video?
You can watch the video Threat Exposure Validation Summer Series: Threat Exposure Validation is a must have in 2025 for more insights on exposure validation and ransomware defense.
