TellYouThePass ransomware has made a comeback with an added compilation of the Go language (Golang) to its malicious infrastructure. This enables the ransomware to easily target operating systems beyond Windows.

The comeback 

A report from Crowdstrike disclosed code-level changes in TellYouThePass, making it easier to compile for platforms such as macOS and Linux.
  • Researchers have reported a code similarity of 85% between the Linux and Windows samples of TellYouThePass. 
  • Additionally, they observed several other changes, including the use of a new encryption algorithm.
  • The encryption routine uses the AES-256/RSA-2014 algorithms and no free decryptor is available for this ransomware.
  • The ransom note demands 0.05 Bitcoin, presently converting to around $2,150, for the decryption tool.

Notably, the sample uses the Golang Crypto Packages to generate the RSA key.

What else is new?

The latest samples have randomized the names of all functions except the “main” function, which thwarts the analysis.
  • Before the start of encryption, the ransomware kills tasks and services that may interrupt the encryption process, such as email clients, web servers, document editors, and database apps.
  • Further, some directories are excluded from encryption to stop the system from being non-bootable.

A background into the actor

TellYouThePass is financially motivated ransomware that was first seen in 2019.
  • It was initially designed to target Windows devices.
  • Recently, the ransomware was spotted leveraging a critical remote code execution flaw, Log4Shell for its attacks.


The recent development of TellYouThePass ransomware shows how cybercriminals are using modern languages to make their threats more capable. The threat now targets multiple operating systems, which makes it a more versatile threat. Moreover, these updates indicate that the operators of this malware are planning to further make investments in this malware in the coming future.

Cyware Publisher