Security News > 2021 > December > TellYouThePass ransomware revived in Linux, Windows Log4j attacks

Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library.
KnownSec 404 Team's Heige first reported these attacks on Twitter on Monday after observing that the ransomware was dropped on old Windows systems using exploits targeting the flaw tracked as CVE-2021-44228 and known as Log4Shell.
Heige's report was confirmed by the Sangfor Threat Intelligence Team, who successfully captured one of the TellYouThePass ransomware samples deployed in attacks using Log4Shell exploits, according to Curated Intelligence.
Other security researchers [1, 2] have also analyzed one of the ransomware samples deployed in these attacks and tagged it as "Likely belonging" to the TellYouThePass family.
According to submission stats to the ID Ransomware service, TellYouThePass ransomware has seen a massive and sudden spike in activity after Log4Shell proof-of-concept exploits were released online.
TellYouThePass is not the first ransomware strain deployed in Log4Shell attacks since financially-motivated attackers began injecting Monero miners on compromised systems and state-backed hackers started exploiting it to create footholds for follow-on activity.
News URL
Related news
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hunters International ransomware claims attack on Tata Technologies (source)
- Toronto Zoo shares update on last year's ransomware attack (source)
- Ransomware gang creates tool to automate VPN brute-force attacks (source)
- SANS Institute Warns of Novel Cloud-Native Ransomware Attacks (source)
- ⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More (source)
- BlackLock ransomware claims nearly 50 attacks in two months (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- New VanHelsing ransomware targets Windows, ARM, ESXi systems (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity siemens apache intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |