TellYouThePass Ransomware Returns as a Cross-Platform Golang Threat
Malicious Actors Made Code Changes that Make It Easier to Build for Systems Other than Windows.
Tellyouthepass is one of the many ransomware-like programs that encrypt files and keep them encrypted until a ransom is paid. The application renames all encrypted files with the “.locked” suffix and generates a ransom note in the text file “README.html”.
This ransomware encrypts data using the RSA-1024 and AES-256 cryptographic techniques. The only option to decrypt files is to acquire a decryption program from Tellyouthepass’s makers.
As reported by BleepingComputer, TellYouThePass ransomware has resurfaced as Golang-compiled malware, making it simpler to attack additional operating systems, particularly macOS and Linux.
The use of Golang is prompted by the fact that Golang is a programming language that was initially embraced by malware programmers in 2019 because of its cross-platform adaptability. Furthermore, Golang supports the packaging of required libraries into a single binary file, resulting in a reduced footprint of command and control (C2) server connections and, as a result, lower detection rates.
It is also easier to learn than other programming languages, such as Python and has current debugging and plugin tools that make programming easier.
Crowdstrike analysts discovered an 85 percent code similarity between the Linux and Windows variants of TellYouThePass, demonstrating the little changes required to let the ransomware execute on other operating systems.
One notable difference in the most recent instances of ransomware is the randomization of the names of all functions other than the main one, which is intended to thwart examination.
TellYouThePass terminates processes and services that might jeopardize the process or result in incomplete encryption before starting the encryption procedure, such as email clients, database programs, web servers, and document editors.
Furthermore, some folders are omitted from encryption to avoid leaving the machine unbootable and therefore wasting any opportunity to be compensated.
It seems that the encryption scheme uses the RSA-2014 and AES-256 algorithms, and also that no free decryptor is available at this time.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).