TellYouThePass, one of the inactive ransomware families, has resurfaced. The ransomware is exploiting the Apache Log4j CVE-2021-44228 vulnerability to target both Linux and Windows-based computers, researchers from KnownSec 404 Team and Sangfor Threat Intelligence Team reported.
A researcher from KnownSec 404 Team first reported authorities on Twitter regarding assaults soon after discovering that the ransomware experienced a sudden surge just after the Log4Shell PoC exploits were published online, later the Sangfor security team confirmed attacks after intercepting the logs.
“On December 13, Sangfor’s terminal security team and Anfu’s emergency response center jointly monitored ransomware called Tellyouthepass, which has attacked both platforms. Sangfor has captured a large number of Tellyouthepass ransomware interception logs” reads the analysis published by Sangfor.
It's worth noting that this is not the first instance that Tellyouthepass ransomware has employed severe flaws to launch assaults. As early as last year, the ransomware used Eternal Blue bugs to target multiple organizational units.
Cybersecurity researchers received 30 samples of TellYouThePass ransomware on December 13, which is relatively high considering the ransomware has remained inactive since the summer of 2020. According to Curated Intelligence, ID-Ransomware (IDR) metric confirmed a surge in the submissions for this ransomware.
“Curated Intel member @PolarToffee responded with an ID-Ransomware (IDR) metric, proving that on December 13th, more than 30 samples of “TellYouThePass” ransomware were submitted to IDR, indicating that “a very sudden spike in submissions for what is a very old ransomware [that day],” reported Curated Intelligence.
In recent months, there have been multiple incidents where attackers have exploited the Log4Shell vulnerability. Initially, the flaw was exploited by multiple state-sponsored attackers from China, Iran, North Korea, and Turkey. The financially driven attackers started injecting Monero miners on compromised devices and state-backed hackers began leveraging it to establish footholds for further operations.
Khonsari ransomware payloads were also identified on self-hosted Minecraft servers by the BitDefender Threat Intelligence Team. The ransomware doesn’t encrypt files with the extensions .ini and .lnk, it employs the AES 128 CBC using PaddingMode.Zeros algorithm for encryption.
Finally, Conti ransomware gang has added a Log4Shell attack in its armory, allowing attackers to move laterally throughout victims’ networks, secure access to VMware vCenter Server instances, and encrypt virtual machines.