🎫

TellYouThePass Gang

Tags

RansomOps

Attribution

💰Cybercrime

Incidents

RCE Vulnerability in PHP CGI Exploited by TellYouThePass

References

https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/

Last edited

Aug 7, 2024 10:42 AM

Status

Finalized

Cloud-fluent

Unique Tools

TellYouThePass ransomware

TellYouThePass Gang has been running the TellYouThePass ransomware campaign since 2019, and is known for exploiting n-day vulnerabilities. The gang uses the Windows mshta.exe binary to run a malicious HTML application (HTA) file containing VBScript with a base64-encoded string. This string decodes into a binary, loading a .NET variant of the ransomware into the host's memory. The ransomware then sends an HTTP request disguised as a CSS resource request to a command-and-control server and encrypts files on the infected machine. A ransom note, "READ_ME10.html," is left on the system with instructions for the victim on how to restore their files.