TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
TellYouThePass ransomware has resurfaced with a modern reinterpretation, leveraging Golang for cross-platform functionality on Windows and Linux. Analysts identified its binary using the "Go build ID" string, although attackers often patch binaries to remove this identifier, making detection difficult. Two analyzed samples revealed more than 85% code similarity across platforms, showcasing its adaptability.
The malware uses obfuscated function names, leaving only the main function intact. It checks for specific files like showkey.txt
and public.txt
in directories such as %APPDATA%
on Windows and /root/
on Linux to verify encryption status. If encryption hasn’t occurred, the files are created, marking the system for further action.
Key Technical Details
Encryption Methods:
TellYouThePass employs Golang Crypto Packages to handle encryption keys using RSA-1024 and AES-256 algorithms. Functions like crypto_x509_MarshalPKCS1PrivateKey
convert RSA private keys to PKCS #1 format, while encoding_pem_EncodeToMemory
generates PEM-encoded keys for encryption.
Targeted Applications and Services:
Before initiating encryption, the ransomware kills processes and services related to databases, email clients, and antivirus software.
- Windows: Uses
cmd.exe
commands such astaskkill
andschtasks
to terminate processes likemsftesql.exe
andsqlservr.exe
. - Linux: Executes commands using
os_exec_command
with/bin/bash/
to stop services like MySQL and PostgreSQL.
Directory Exclusions:
TellYouThePass excludes critical directories from encryption to maintain system operability.
- Windows:
Program Files
,Recycle.Bin
,System Volume Information
. - Linux:
/bin
,/boot
,/etc
,/lib
.
Targeted File Extensions:
The ransomware encrypts a wide range of file types, including documents, images, and databases, saving their paths in encfile.txt
. Examples include .docx
, .xlsx
, .jpg
, .sql
, and .zip
.
Ransom Note and Payment Details
TellYouThePass delivers a ransom note outlining its encryption process. Victims are instructed to pay 0.05 Bitcoin to a hardcoded wallet address to receive the decryption key. Each victim is assigned a unique personid
for identification.
Implications and Recommendations
The use of Golang enhances the ransomware’s cross-platform capabilities, posing a significant threat to organizations operating both Windows and Linux environments. Its ability to kill antivirus processes and target critical applications heightens its impact.
Mitigation Strategies:
- Regularly update and patch systems to close vulnerabilities.
- Monitor and restrict the use of admin privileges to prevent unauthorized process terminations.
- Implement robust backup and recovery mechanisms to minimize data loss.
- Employ advanced threat detection tools to identify anomalous activity associated with ransomware attacks.
TellYouThePass highlights the evolving sophistication of ransomware, emphasizing the need for proactive cybersecurity measures to mitigate risks.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.