The TellYouThePass ransomware gang has been exploiting the recently patched vulnerability (CVE-2024-4577) in PHP to deploy webshells and execute their encryptor payload on target systems. Attacks started on June 8, just after the release of security updates, using publicly available exploit code. Known for exploiting widely impactful vulnerabilities, TellYouThePass has previously used Apache ActiveMQ and Log4j vulnerabilities. The current attacks involve encrypting files and demanding a ransom of 0.1 BTC (~$6,700) for decryption.
TellYouThePass leverages the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code on target systems. The gang uses the Windows mshta.exe binary to run a malicious HTML application (HTA) file containing VBScript with a base64-encoded string. This string decodes into a binary, loading a .NET variant of the ransomware into the host's memory. The ransomware then sends an HTTP request disguised as a CSS resource request to a command-and-control server and encrypts files on the infected machine. A ransom note, "READ_ME10.html," is left on the system with instructions for the victim on how to restore their files. Reports indicate that these attacks have impacted multiple websites since they began.