{
	"id": "6e3897cf-5c0d-412d-a43e-cc4f771be443",
	"created_at": "2026-04-06T00:17:17.952483Z",
	"updated_at": "2026-04-10T13:12:19.554916Z",
	"deleted_at": null,
	"sha1_hash": "1aa3a93e050ebe41afe7f66ece59ae719aca7815",
	"title": "TellYouThePass Ransomware Analysis Reveals Modern Reinterpretation Using Golang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7854212,
	"plain_text": "TellYouThePass Ransomware Analysis Reveals Modern\r\nReinterpretation Using Golang\r\nBy Anmol Maurya\r\nArchived: 2026-04-05 16:28:15 UTC\r\nTellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang\r\nGolang’s popularity among malware developers makes cross-platform development more accessible\r\nTellYouThePass ransomware was recently associated with Log4Shell post-exploitation, targeting Windows\r\nand Linux\r\nThe CrowdStrike Falcon® platform protects customers from Golang-written TellYouThePass ransomware\r\nusing the power of machine learning and behavior-based detection\r\nThe TellYouThePass ransomware family was recently reported as a post-exploitation malicious payload used in\r\nconjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell.\r\nTellYouThePass was first reported in early 2019 as a financially motivated ransomware designed to encrypt files\r\nand demand payment for restoring them. Targeting both Windows and Linux systems, TellYouThePass\r\nransomware re-emerged in mid-December 2021 along with other ransomware like Khonsari. This lesser-known\r\nransomware family came back into the spotlight as a post-exploitation payload associated with the Log4Shell. The\r\nremote code execution vulnerability is estimated to expose affected organizations to a wave of cybersecurity risks.\r\nPreviously known TellYouThePass ransomware samples were written in traditional programming languages like\r\nJava or .Net., but two new recent samples reported in public repositories have been rewritten and compiled in\r\nGolang. Golang’s popularity among malware developers has steadily increased over the past years. It allows them\r\nto use the same codebase and compile it for all major operating systems, making cross-platform development\r\nwork more accessible. What follows is a deeper dive into the new Golang-written TellYouThePass ransomware\r\nsamples for Windows and Linux and how the CrowdStrike Falcon® platform protects against them.\r\nSetting Up the Analysis\r\nWe first check the binary for the “Go build id” string to identify the Golang build used for compiling it. In recent\r\ncampaigns of Go-written malware, especially in ransomware cases, attackers patch the binary to remove this\r\nstring, making it difficult for researchers to use string-based signatures to detect the binary as Go. Going through\r\nthe two samples — 460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984 (Windows)\r\n5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e (Linux) — we noticed that more than\r\n85% of code in the Windows and Linux versions are almost the same:\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 1 of 12\n\nFigure 1. The “main.” functions for both Windows and Linux samples are almost identical (Click to enlarge)\r\nA deeper dive into the some of the ransomware’s functions:\r\nFigure 2. TellYouThePass ransomware functions for the Windows sample in IDA Pro (Click to enlarge)\r\nAs we have previously discussed, we start by focusing on the “main.” functions in Golang. We notice in this case\r\nthat the malware authors have left only one main function and changed the other functions to random names,\r\nmaking analysis difficult. The sample checks the existence of the files “ showkey.txt ” and “ public.txt ” with\r\nthe help of OS.Getenv, using \" ALLUSERSPROFILE \" and \" HOMEDRIVE \" as keys in Windows and Home and /tmp/\r\nin Linux. If it is present, it means encryption occurred, and it exists using runtime_gopanic ; otherwise, it creates\r\nthem.\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 2 of 12\n\nFigure 3. Encryption function followed by successful encryption for both Linux and Windows (Click to enlarge)\r\nFor Windows, the return is \" C:\\\\ProgramData \" and /root/ directory in Linux. Using path.join to join\r\n\" showkey.txt \" and “ public.txt ” with the directories results in:\r\nWindows Linux\r\n” C:\\\\ProgramData/showkey.txt ”\r\n“ C:\\\\ProgramData/public.txt ”\r\n“ /root/showkey.txt ”\r\n“ /root/public.txt ”\r\nTable 1. Directories for saving showkey.txt and public.txt\r\nThe sample uses the Golang Crypto Packages for RSA key — some of them are\r\ncrypto_x509_MarshalPKCS1PublicKey, crypto_x509_MarshalPKCS1PrivateKey,\r\nencoding_pem_EncodeToMemory and crypto_rsa_GenerateMultiPrimeKey. As seen in Figure 4, crypto_x509_\r\nMarshalPKCS1PrivateKey converts the RSA private key to PKCS #1, ASN.1 DER form. Then, the\r\nencoding_pem_EncodeToMemory returns the PEM (Privacy Enhanced Mail) encoding, and after that,\r\nruntime_slicebytetostring converts bytes to string, resulting in the conversion of bytes to string (see Figure 5).\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 3 of 12\n\nFigure 4. Function that generates\r\nthe RSA private key\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 4 of 12\n\nFigure 5. The generated RSA key (Click to enlarge)\r\nThe RSA public key is generated using the encoding_base64_ptr_Encoding_DecodeString and\r\nencoding_pem_encode packages from Golang, as shown in Figure 6.\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 5 of 12\n\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 6 of 12\n\nFigure 6. Base64 decoding (Click to enlarge)\r\nAfter that, the PERSON_ID stores the encoding generated by\r\n“encoding_base64__ptr_Encoding_EncodeToString” (in this case:\r\n“ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 +/ ” as array for Base64 std encoding)\r\nevery time the sample runs, saving it into “ showkey.txt ”. Afterward, another key is generated using the function\r\nbelow (Figure 7), also saving it into “ public.txt ”:\r\nFigure 7. Key generation function (Click to enlarge)\r\nRansomware Behavior Prior to Encryption\r\nTellYouThePass ransomware tries to kill some tasks and services before initiating the encryption routine, as\r\nshown in Table 2 below. However, in Linux, it requires root privilege to do that. Targeted applications include\r\nvarious email clients, database applications, web servers and document editors. It runs various commands using\r\ncmd.exe to kill tasks in Windows, and in Linux, it takes the os_exec_command Go package to execute different\r\ncommands using /bin/bash/ :\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 7 of 12\n\nWindows Linux\r\n\"taskkill /f /im msftesql.exe \"\r\n\"schtasks /delete /tn WM /F \"\r\n\"taskkill /f /im sqlagent.exe \"\r\n\"taskkill /f /im sqlbrowser.exe \"\r\n\"taskkill /f /im sqlservr.exe \"\r\n\"taskkill /f /im sqlwriter.exe \"\r\n\"taskkill /f /im oracle.exe \"\r\n\"taskkill /f /im ocssd.exe \"\r\n\"taskkill /f /im dbsnmp.exe \"\r\n\"taskkill /f /im synctime.exe \"\r\n\"taskkill /f /im mydesktopqos.exe \"\r\n\"taskkill /f /im agntsvc.exeisqlplussvc.\"\r\n\"taskkill /f /im xfssvccon.exe \"\r\n\"taskkill /f /im mydesktopservice.exe \"\r\n\"taskkill /f /im ocautoupds.exe \"\r\n\"taskkill /f /im agntsvc.exeagntsvc.exe \"\r\n\"taskkill /f /im agntsvc.exeencsvc.exe \"\r\n\"taskkill /f /im firefoxconfig.exe \"\r\n\"taskkill /f /im tbirdconfig.exe \"\r\n\"taskkill /f /im ocomm.exe \"\r\n\"taskkill /f /im mysqld.exe \"\r\n\"taskkill /f /im mysqld-nt.exe \"\r\n\"taskkill /f /im mysqld-opt.exe \"\r\n\"taskkill /f /im dbeng50.exe \"\r\n\"taskkill /f /im sqbcoreservice.exe \"\r\n\"taskkill /f /im excel.exe \"\r\n\"taskkill /f /im infopath.exe \"\r\n\"taskkill /f /im msaccess.exe \"\r\n\"taskkill /f /im mspub.exe \"\r\n\"taskkill /f /im onenote.exe \"\r\n\"taskkill /f /im outlook.exe \"\r\n\"taskkill /f /im powerpnt.exe \"\r\n\"taskkill /f /im steam.exe \"\r\n\"taskkill /f /im sqlservr.exe \"\r\n\"taskkill /f /im thebat.exe \"\r\n\"taskkill /f /im thebat64.exe \"\r\n\"taskkill /f /im thunderbird.exe \"\r\n\"taskkill /f /im visio.exe \"\r\n\"taskkill /f /im winword.exe \"\r\n\"taskkill /f /im wordpad.exe\"\r\n\"service mysql stop\"\r\n\"/etc/init.d/mysqld stop\"\r\n\"service oracle stop\"\r\n\"systemctl disable \\\"postgresql*\\\"\"\r\n\"systemctl disable \\\"mysql*\\\"\"\r\n\"systemctl disable \\\"oracle*\\\"\"\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 8 of 12\n\n\"taskkill /f /im tnslsnr.exe\"\r\nTable 2. TellYouThePass commands that try to terminate some tasks and services before initiating the encryption\r\nroutine\r\nAfter that, it iterates through all directories from A to Z and encrypts the files.\r\n Both the Windows and the Linux versions\r\nhave a list of directory exclusions for encryption, shown in Table 3.\r\nWindows Linux\r\nEFI.Boot\r\nEFI.Microsoft\r\nWindows\r\nProgram Files\r\nAll Users\r\nBoot\r\nIEidcache\r\nProgramData\r\ndesktop.ini\r\nautorun.inf\r\nnetuser.dat\r\niconcache.db\r\nthumbs.db\r\nLocal Settings\r\nbootfont.bin\r\nSystem Volume Information\r\nAppData\r\nRecycle.Bin\r\nRecovery\r\n/bin\r\n/boot\r\n/sbin\r\n/tmp\r\n/etc\r\n/lib\r\n/proc\r\n/dev\r\n/sys\r\n/usr/include\r\n/usr/java\r\nTable 3. TellYouThePass directory exclusions for encryption\r\nThe TellYouThePass ransomware focuses on encrypting popular media and file extensions, saving their paths in\r\nthe \" encfile.txt \" text file, located in the same folder as \" public.txt \" and \" showkey.txt ”. Below is the full\r\nlist of targeted extensions for encryption: 1cd, 3dm, 3ds, 3fr, 3g2, 3gp, 3pr, 602, 7z, ps1, 7zip, aac, ab4, accdb,\r\naccde, accdr, accdt, ach, acr, act, adb, adp, ads, aes, agdl, ai, aiff, ait, al, aoi, apj, arc, arw, asc, asf, asm, asp, aspx,\r\nasx, avi, awg, back, backup, backupdb, bak, bank, bat, bay, bdb, bgt, bik, bin, bkp, blend, bmp, bpw, brd, c, cdf,\r\ncdr, cdr3, cdr4, cdr5, cdr6, cdrw, cdx, ce1, ce2, cer, cfg, cgm, cib, class, cls, cmd, cmt, conf, config, contact, cpi,\r\ncpp, cr2, craw, crt, crw, cs, csh, csl, csr, css, csv, dac, dat, db, db3, db_journal, dbf, dbx, dc2, dch, dcr, dcs, ddd,\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 9 of 12\n\nddoc, ddrw, dds, der, des, design, dgc, dif, dip, dit, djv, djvu, dng, doc, docb, docm, docx, dot, dotm, dotx, drf,\r\ndrw, dtd, dwg, dxb, dxf, dxg, edb, eml, eps, erbsql, erf, exf, fdb, ffd, fff, fh, fhd, fla, flac, flf, flv, flvv, fpx, frm,\r\nfxg, gif, gpg, gray, grey, groups, gry, gz, h, hbk, hdd, hpp, html, hwp, ibank, ibd, ibz, idx, iif, iiq, incpas, indd, jar,\r\njava, jnt, jpe, jpeg, jpg, jsp, jspx, ashx, js, kc2, kdbx, kdc, key, kpdx, kwm, laccdb, lay, lay6, ldf, lit, log, lua, m,\r\nm2ts, m3u, m4p, m4u, m4v, mapimail, max, mbx, md, mdb, mdc, mdf, mef, mfw, mid, mkv, mlb, mml, mmw,\r\nmny, moneywell, mos, mov, mp3, mp4, mpeg, mpg, mrw, ms11, msg, myd, myi, nd, ndd, ndf, nef, nk2, nop, nrw,\r\nns2, ns3, ns4, nsd, nsf, nsg, nsh, nvram, nwb, nx2, nxl, nyf, oab, obj, odb, odc, odf, odg, odm, odp, ods, odt, ogg,\r\noil, orf, ost, otg, oth, otp, ots, ott, p12, p7b, p7c, pab, pages, paq, pas, pat, pcd, pct, pdb, pdd, pdf, pef, pem, pfx,\r\nphp, pif, pl, plc, plus_muhd, png, pot, potm, potx, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, prf, ps, psafe3, psd,\r\npspimage, pst, ptx, pwm, py, qba, qbb, qbm, qbr, qbw, qbx, qby, qcow, qcow2, qed, r3d, raf, rar, rat, raw, rb, rdb,\r\nrm, rtf, rvt, rw2, rwl, rwz, s3db, safe, sas7bdat, sav, save, say, sch, sd0, sda, sdf, sh, sldm, sldx, slk, sql, sqlite,\r\nsqlite3, sqlitedb, sr2, srf, srt, srw, st4, st5, st6, st7, so, st8, stc, std, sti, stm, stw, stx, svg, swf, sxc, sxd, sxg, sxi,\r\nsxm, sxw, tar, tar.bz2, tbk, tex, tga, tgz, thm, tif, tiff, tlg, txt, uop, uot, vb, vbox, vbs, vdi, vhd, vhdx, vmdk, vmsd,\r\nvmx, vmxf, vob, wab, wad, wallet, war, wav, wb2, wk1, wks, wma, wmv, wpd, wps, x11, x3f, xis, xla, xlam, xlc,\r\nxlk, xlm, xlr, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xlw, xml, ycbcra, yuv, zip. Finally, the ransom note contains\r\ninformation about the encryption algorithm used to encrypt the files, specifically RSA-1024 and AES-256. It also\r\nincludes the personid, used for identifying the victim. Following 0.05 bitcoin transfer into a designated and\r\nhardcoded wallet, attackers promise to provide victims with the decryption tool to recover all files.\r\nFigure 9. TellYouThePass ransom note (Click to enlarge)\r\nCrowdStrike Falcon® Protection\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 10 of 12\n\nThe Falcon platform automatically detects and protects against this type of Golang-written malware using the\r\npower of the cloud, on-sensor and in-the-cloud machine learning, and indicators of attack (IOAs) to detect the\r\nthreat. As Figure 10 shows, Falcon’s cloud-based machine learning detects both Golang-written ransomware\r\nsamples for TellYouThePass, immediately protecting Windows and Linux environments. CrowdStrike Falcon®\r\nleverages machine learning to identify known and unknown malware or threats by understanding malicious intent.\r\nBoth on-sensor and cloud-based machine learning can detect and prevent post-exploitation threats leveraging\r\nexploits such as Log4Shell to protect against malware, including the new Golang-written TellYouThePass\r\nransomware.\r\nFigure 10. Falcon detection of Golang-written Windows TellYouThePass ransomware sample (Click to enlarge)\r\nFigure 11. Falcon detection of Golang-written Linux TellYouThePass ransomware sample (Click to enlarge)\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 11 of 12\n\nThe CrowdStrike Falcon® platform provides protection against threats and visibility for all hosts in Windows,\r\nLinux and macOS, regardless of their location. The Falcon sensor can detect and prevent threats ranging from\r\nransomware, cryptocurrency miners, trojans and botnets to stop today’s most sophisticated threats.\r\nIndicators of Compromise (IOCs)\r\nMITRE ATT\u0026CK® Framework Mapping\r\nAttack Id Tactic Description\r\nT1059 Execution Command and Scripting Interpreter\r\nT1053 Execution Persistence Privilege Escalation Scheduled Task/Job\r\nT1027 Defense Evasion Obfuscated Files or Information\r\nT1140 Defense Evasion Deobfuscate/Decode Files or Information\r\nT1083 Discovery File and Directory Discovery\r\nT1057 Discovery Process Discovery\r\nT1560 Collection Archive Collected Data\r\nT1486 Impact Data Encrypted for Impact\r\nAdditional Resources\r\nRead more about Golang malware in this blog: Golang Malware Is More than a Fad: Financial Motivation\r\nDrives Adoption\r\nLearn about another ransomware variant that uses a Golang packer: New Ransomware Variant Uses\r\nGolang Packer\r\nVisit the product website to learn how the powerful CrowdStrike Falcon® platform provides comprehensive\r\nprotection across your organization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and see how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nhttps://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/\r\nPage 12 of 12\n\ncrypto_x509_MarshalPKCS1PublicKey, encoding_pem_EncodeToMemory  crypto_x509_MarshalPKCS1PrivateKey, and crypto_rsa_GenerateMultiPrimeKey.  As seen in Figure 4, crypto_x509_\nMarshalPKCS1PrivateKey converts the RSA private key to PKCS #1, ASN.1 DER form. Then, the \nencoding_pem_EncodeToMemory  returns the PEM (Privacy Enhanced Mail) encoding, and after that,\nruntime_slicebytetostring converts bytes to string, resulting in the conversion of bytes to string (see Figure 5).\n   Page 3 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/"
	],
	"report_names": [
		"tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1aa3a93e050ebe41afe7f66ece59ae719aca7815.pdf",
		"text": "https://archive.orkl.eu/1aa3a93e050ebe41afe7f66ece59ae719aca7815.txt",
		"img": "https://archive.orkl.eu/1aa3a93e050ebe41afe7f66ece59ae719aca7815.jpg"
	}
}