First Log4Shell attacks spreading ransomware have been spotted

Romanian antivirus maker Bitdefender says it has spotted the first ransomware group that is abusing the recently disclosed Log4Shell vulnerability to infect and encrypt unpatched systems.

First attacks have been spotted on Sunday, December 11, and have been carried out using a new strain of ransomware named Khonsari, Bitdefender researcher Martin Zugec said in a report on Monday.

The ransomware is coded in .NET and can only target Windows systems.

Security researchers MalwareHunterTeam and Michael Gillespie have described it as a low-effort "skidware" assembled from public code; however, despite its low-quality code, the ransomware is functional and can successfully encrypt systems if a Log4Shell attack succeeds.

Furthermore, the ransomware also uses a secure encryption method, and no flaw has been discovered in it (for the time being), meaning that once encrypted, victims will either need to restore from backups or pay the attackers to recover their files.

Luckily, the attacks pushing this threat right now are small in number, and this doesn't appear to be a virulent issue.

Systems that have been hit can recognize a Khonsari attack by the .khonsari extension added to most of their files and the text file placed on their desktop that contains a ransom note like the one below. [Formatted for readability.]

Your files have been encrypted and stolen by the Khonsari family. If you wish to decrypt, call [redacted] or [redacted]. If you do not know how to buy btc, use a search engine to find exchanges. DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.

Both the redacted phone number and email address belong to a Louisana-based business owned by a person of Iranian descent, named Khonsari. All of this suggests the ransomware is (1) an attempt to frame this person, and (2) destructive in nature, as victims won't be able to recover encrypted files.

Besides the threat from Khonsari, Bitdefender also reported on other malware gangs abusing the same Log4Shell vulnerability to spread across the internet, such as DDoS and cryptomining botnets.

Chinese security firm Qihoo 360 said in a similar report on Monday that they've been tracking at least ten different groups abusing this vulnerability as well.

Israeli security firm Check Point also added that it has seen at least 60 variations of the Log4Shell exploit so far, many as a result of threat actors trying to evade detections and mitigations put in place since last week.

While an initial patch was released last week, yesterday, the Apache Software Foundation released Log4j version 2.16.0 that adds additional hardening against Log4Shell attacks, including disabling the JNDI component that is at the root of the vulnerability.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.