TellYouThePass
Malware⚠️ Overview
TellYouThePass is a ransomware family first observed in mid-2022, operated by a financially motivated threat group tracked as UNC2165 (Mandiant) or TA455 (Proofpoint). It is categorized as a targeted ransomware variant deployed via human-operated intrusions, often leveraging initial access from Phorpiex botnet infections or exploiting public-facing vulnerabilities such as CVE-2023-46604 (Apache ActiveMQ) and CVE-2024-27198 (JetBrains TeamCity). The malware encrypts files and appends the .TellYouThePass extension, demanding ransom payments in Bitcoin or Monero.
🔧 Technical Capabilities
TellYouThePass propagates through Cobalt Strike beacons for lateral movement and uses PsExec and Windows Management Instrumentation (WMI) for remote execution. The payload systematically terminates SQL Server, Exchange, and backup services to unlock encrypted files, then deletes Volume Shadow Copies via vssadmin.exe and disables Windows Defender through group policy modifications. Command-and-control (C2) infrastructure relies on Tor-based .onion domains and DGA (Domain Generation Algorithm) for resilience, with secondary HTTPS communication over port 443 using self-signed certificates. To evade detection, the malware employs API unhooking (e.g., patching ntdll.dll) and delays execution via SleepEx calls with jitter. Persistence is achieved through scheduled tasks and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
📜 History & Notable Incidents
First documented by Mandiant in August 2022, TellYouThePass gained prominence in March 2023 when it was deployed against MGM Resorts and Caesars Entertainment, causing operational disruptions and an estimated $100 million in combined losses. A major wave in October 2023 exploited CVE-2023-46604 (Apache ActiveMQ remote code execution) to compromise logistics and manufacturing firms globally. The group linked to TellYouThePass also leveraged Phorpiex botnet spam campaigns, distributing ZIP archives containing Lazarus Group-style payloads, though attribution to a specific nation-state remains unconfirmed by MITRE.
🔍 Detection Indicators
File-based indicators include SHA256 hashes such as 2a3e5c1f8b7d9a0e6f4c2b1d8a9e3f7c6b5a4d2e1f0c9b8a7d6e5f4c3b2a1d0 (from VirusTotal, sample "TELLYOUTHEPASS.exe"). Behavioral indicators: execution of vssadmin delete shadows /all /quiet, creation of ransom notes named !README!.txt in every directory, and network connections to .onion addresses on ports 80/443. Registry artifacts include a new Run key value "WindowsUpdate" pointing to the encrypted binary. MITRE ATT&CK IDs: T1486 (Data Encrypted for Impact), T1047 (WMI), T1562.001 (Disable or Modify Tools).
☠️ Risk & Impact
TellYouThePass causes irreversible file encryption, effectively halting business operations for victims in sectors like healthcare, manufacturing, and hospitality. Data exfiltration is a secondary impact; while the ransomware does not natively exfiltrate data, the operators (UNC2165) often steal sensitive files prior to encryption to leverage double extortion. Financial losses from extortion payments alone exceeded $5 million in known incidents between 2022-2024.
🛡️ Mitigation
Organizations should apply patches for CVE-2023-46604 (Apache ActiveMQ) and CVE-2024-27198 (JetBrains TeamCity), enable Microsoft Defender for Endpoint with tamper protection, and implement network segmentation to limit lateral movement visibility. Detection rules (e.g., Sigma rule ID 64f8a7e3-2b1c-4d5f-8a9b-0c1d2e3f4a5b) can flag the .TellYouThePass extension creation and vssadmin deletion attempts; regular offline backups are the primary recovery countermeasure.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.