TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang

February 3, 2022

TellYouThePass ransomware has resurfaced with a modern reinterpretation, leveraging Golang for cross-platform functionality on Windows and Linux. Analysts identified its binary using the "Go build ID" string, although attackers often patch binaries to remove this identifier, making detection difficult. Two analyzed samples revealed more than 85% code similarity across platforms, showcasing its adaptability.

The malware uses obfuscated function names, leaving only the main function intact. It checks for specific files like showkey.txt and public.txt in directories such as %APPDATA% on Windows and /root/ on Linux to verify encryption status. If encryption hasn’t occurred, the files are created, marking the system for further action.

Key Technical Details

Encryption Methods:
TellYouThePass employs Golang Crypto Packages to handle encryption keys using RSA-1024 and AES-256 algorithms. Functions like crypto_x509_MarshalPKCS1PrivateKey convert RSA private keys to PKCS #1 format, while encoding_pem_EncodeToMemory generates PEM-encoded keys for encryption.

Targeted Applications and Services:
Before initiating encryption, the ransomware kills processes and services related to databases, email clients, and antivirus software.

  • Windows: Uses cmd.exe commands such as taskkill and schtasks to terminate processes like msftesql.exe and sqlservr.exe.
  • Linux: Executes commands using os_exec_command with /bin/bash/ to stop services like MySQL and PostgreSQL.

Directory Exclusions:
TellYouThePass excludes critical directories from encryption to maintain system operability.

  • Windows: Program Files, Recycle.Bin, System Volume Information.
  • Linux: /bin, /boot, /etc, /lib.

Targeted File Extensions:
The ransomware encrypts a wide range of file types, including documents, images, and databases, saving their paths in encfile.txt. Examples include .docx, .xlsx, .jpg, .sql, and .zip.

Ransom Note and Payment Details

TellYouThePass delivers a ransom note outlining its encryption process. Victims are instructed to pay 0.05 Bitcoin to a hardcoded wallet address to receive the decryption key. Each victim is assigned a unique personid for identification.

Implications and Recommendations

The use of Golang enhances the ransomware’s cross-platform capabilities, posing a significant threat to organizations operating both Windows and Linux environments. Its ability to kill antivirus processes and target critical applications heightens its impact.

Mitigation Strategies:

  • Regularly update and patch systems to close vulnerabilities.
  • Monitor and restrict the use of admin privileges to prevent unauthorized process terminations.
  • Implement robust backup and recovery mechanisms to minimize data loss.
  • Employ advanced threat detection tools to identify anomalous activity associated with ransomware attacks.

TellYouThePass highlights the evolving sophistication of ransomware, emphasizing the need for proactive cybersecurity measures to mitigate risks.

Subscribe