Threat actors have revived an old and relatively dormant ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library.
The common form of invasion used by the group is through email attachments, usually as Microsoft Word files. Once the file is downloaded, the ransomware is installed and preparations for encryption begin. All programs that could prevent encryption are disabled, and then encryption starts. Then, after making the files inaccessible through encryption, the ‘.locked’ extension is added to the files. TellYouThePass targets large files such as: media, images, databases, PDFs, Word documents, and others.
It should be noted that this is not the first time that the Tellyouthepass ransomware has used high-risk vulnerabilities to launch attacks, since last year, it had used the Eternal Blue vulnerabilities to attack multiple organizational units.
TellYouThePass is not the first ransomware strain deployed in Log4Shell attacks since financially motivated attackers began injecting Monero miners into compromised systems and state-backed hackers began exploiting it to create footholds for tracking activity.
Remember that if you were attacked by n ransomware there is no guarantee that your data will be returned to you after paying, so it is important to have backups. All government authorities strongly advise against paying ransoms as this only provides these criminals with more funding to continue their crimes.
