Researchers found that the Tellyouthepass ransomware variant was active during the routine risk file investigation. The attacker uses the compression tool to package the exe, and integrates the ms16-032 kernel privilege escalation vulnerability exploit module and the Eternal Blue intranet spread module into the ransomware attack package to achieve intranet worm-like virus transmission.
The complete exploit package is an exe executable program packaged with a compression tool. After running, the run_update.bat script in the package will be executed first.
The run_update.bat script further starts the other two modules with awindows_privedge.exe as the parent process
awindows_privedge.exe is an exploit program for the ms16-032 kernel privilege escalation vulnerability. The attacker tries to execute other attack modules with SYSTEM privileges, so as to achieve a wider coverage of ransomware encrypted files and a more stable intranet spread attack process.
After the encryption is completed, the files are all added with the .locked extension suffix, and a ransom note named README.html is left.
Block all threat indicators at your respective controls.
Search for IOCs in your environment.