One of the inactive ransomware families, TellYouThePass, has been revived. It has been discovered carrying out attacks on Windows and Linux systems by leveraging the recently discovered critical remote code execution flaw, Log4Shell, in Log4j.

What has happened?

A researcher from KnownSec 404 Team first alerted authorities on Twitter regarding attacks after spotting that the ransomware has seen a sudden spike just after the Log4Shell PoC exploits were released online.
  • The ransomware was being dropped on Windows systems by abusing the CVE-2021-44228 vulnerability.
  • A report by Sangfor Threat Intelligence Team, who captured one of the ransomware samples abusing Log4Shell exploits, revealed most of the targets were located in a Chinese province.
  • Further, experts at CronUP confirmed that the ransomware has a Linux version to collect SSH keys and move laterally inside victims' networks.
  • More security researchers have analyzed the ransomware samples and tagged them as the TellYouThePass family.

The Log4Shell havoc

In recent months, there have been so many incidents where cybercriminals have exploited the Log4Shell vulnerability.
  • Initially, a slew of state-sponsored hackers from China, Iran, North Korea, and Turkey were observed abusing the bug.
  • Recently, the Conti ransomware has started exploring the Log4Shell flaw to move laterally inside targets' networks.
  • Researchers from BitDefender found Khonsari ransomware abusing the Log4Shell exploits.


Log4Shell vulnerability is now being abused widely around the world by different ransomware groups, even the old groups are being revived to take advantage of this security flaw. Thus, it is highly recommended to apply security patches immediately, conduct a security review, and report compromises immediately. Here’s how you can protect yourself the Cyware way.
Cyware Publisher