The TellYouThePass Ransomware Reappeared After the Windows Log4j Attacks
The Vulnerability Is Used in Against Windows and Linux Devices Targeting a Critical Remote Code Execution Bug in the Apache Log4j Library.
Last updated on December 20, 2021
Tellyouthepass ransomware, commonly known as the.locked Files Virus, encrypts data and demands payment as a ransom to restore it.
The.locked Files Virus will encrypt a text file with ransomware instructions using military-grade encryption methods AES 256-bit and RSA 1024-bit to lock the data.
Threat actors have resurrected the TellYouThePass ransomware family, deploying it in attacks against Windows and Linux machines to exploit a severe remote code execution issue in the Apache Log4j framework.
As reported by BleepingComputer, the ransomware has a Linux version that harvests SSH keys and moves laterally throughout victims’ networks.
Recently, the Apache Log4j2 remote code execution high-risk vulnerability (CVE-2021-44228) was exposed. Various attack groups took advantage of the virtual reality. After Sangfor Cloud data monitoring, there have been groups that used this vulnerability to launch blackmail attacks.
On December 13, Sangfor’s terminal security team and Anfu’s emergency response center jointly monitored a ransomware called Tellyouthepass, which has attacked both platforms. Sangfor has captured a large number of Tellyouthepass ransomware interception logs, as shown in the figure.
TellYouThePass is not the first ransomware strain to be used in Log4Shell assaults since financially driven attackers started inserting Monero miners on compromised computers and state-backed hackers began leveraging it to establish footholds for further operations.
Khonsari ransomware payloads were also discovered on self-hosted Minecraft servers by the Microsoft 365 Defender Threat Intelligence Team.
Finally, Conti ransomware operators have added a Log4Shell attack to their arsenal, allowing them to traverse laterally via targets’ networks, obtain access to VMware vCenter Server instances, and encrypt virtual machines.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.