IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ransomware is being rewritten in Go for joint attacks on Windows, Linux users

The Google-created programming language has become increasingly popular in the malware community for its speed and effectiveness in targeting more users with the same code base

The outline of a skull displayed in computer code to represent malware

Cyber security researchers have discovered evidence of a years-old ransomware strain returning after being rewritten in Golang - a cross-platform programming language capable of reaching a higher number of users across different operating systems.

The TellYouThePass ransomware was first discovered in 2019, however researchers at Crowdstrike have now spotted a new strain being used as a second-stage attack following a successful exploit of the Log4Shell vulnerability revealed in December 2021.

The Java and .NET languages were used to create TellYouThePass before it emerged into circulation three years ago, but the pivot to Golang, often referred to as 'Go', has enabled attackers to target users across Windows and Linux with minimal changes to the malware's code.

Once encrypted, victims are greeted with a demand of 0.05 Bitcoin (£31,960) in return for a decryption tool to recover all their files.

Ransom note left to victims


The ransom note displayed to victims

When examining code from malware targeting Windows and Linux machines, more than 85% of the code was near identical across the operating systems. This means Golang eliminates much of the leg work typically required to re-write malware for different operating systems, according to the researchers.

This interoperability has resulted in a steady growth in the popularity of Golang among malware authors over the past few years, according to Crowdstrike.

Researchers noted that hackers who have re-written TellYouThePass in Golang have done so using a number of obfuscation techniques to make analysis of its code more difficult for researchers.

The binary of the malware is patched in the new version of TellYouThePass to make it difficult to use string-based signatures to detect that the malware is even written in Golang at all.

Hackers have also taken to randomising the names of the malware's functions, leaving just the main function easily identifiable - another tactic used to impede technical analysis of the ransomware.

Screenshot showing the researcher's analysis of code samples showing how function names are randomised


Analysis of TellYouThePass shows how function names are randomised

Before initiating the encryption routine, TellYouThePass attempts to kill certain tasks and processes, but on Linux this requires root privilege in order to perform that process. Such tasks include email clients, database applications, web servers, and document editors.

What is Golang?

Golang, or 'Go', is a versatile, cross-platform programming language created by Google in 2007 and is among the most in-demand languages currently in use by the IT community, according to the University of California, Berkeley.

Crowdstrike noted in a November 2021 report that it noticed a steep rise in uptake from the cyber crime community in 2021 with an 80% increase in use between June and August 2021.

The cyber security firm said cryptocurrency miners are the most popular form of malware using Golang with miners accounting for 70% of all Golang-written malware as of August 2021. As evidenced with TellYouThePass, ransomware is also seeing Golang uptake, as well as password-stealing trojans and downloaders, Crowdstrike said.

Among the other strains of ransomware written in Golang, the likes of Babuk and HelloKitty - the ransomware that targeted CD Projekt in 2021 - are the most prominent, according to cyber security firm Morphisec.

"Golang’s versatility has turned it into a one-stop shop for financially motivated eCrime developers," the company said in a blog post. "Instead of rewriting malware for Windows, macOS and Linux, eCriminals can use Golang to cross-compile the same codebase with ease, allowing them to target multiple platforms effortlessly."

Related Resource

Container network security guide for dummies

Enforcing Kubernetes best practices

For Dummies style cover with whitepaper title at the topFree download

Despite having the ability to target users on a cross-platform basis, Crowdstrike said the vast majority (91%) of malware written in Golang targets Windows users - due to it market share, 8% is targeting users on macOS and just 1% of malware seeks to infect Linux machines.

Pivoting to Golang is also an attractive proposition given that it performs around 40 times faster than optimised Python code. Golang can run more functions than C++, for example, which makes for a more effective product that can be more difficult to analyse.

"Portability in malware means the expansion of the addressable market, in other words who might become a source of money," said Andy Norton, European cyber risk officer at Armis, speaking to IT Pro. "This isn’t the first time we've seen a shift towards more portable Malware; a few years ago we saw a change towards Java-based remote access trojans away from .exe Windows-centric payloads.

"The ability for security controls to inspect payloads is also another factor threat actors take into account, and drove the prevalence of file-less attacks up in recent years. The scrutiny and patching of Java currently on the back of Log4j vulnerabilities may be reducing Java's attractiveness as a threat vector and driving change in the criminal groups."

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why Amazon is cutting staff from AWS

Why Amazon is cutting staff from AWS

21 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023