Log4j flaw exploitation leads to the new Khonsari ransomware delivery

Hackers manage to spread new ransomware in Log4Shell attacks

Hackers infect computers with Khonsari RansomwareLog4Shell wreaks havoc leads to ransomware attack

Researchers reported the major Log4j vulnerability and noted that the flaw was used to download and install the ransomware.[1] The major security issue was discovered last week, and after the weekend, the cybersecurity technology company noticed attempts to spread the new ransomware family on Windows machines. Khonsari ransomware gets deployed alongside the Orcus trojan.[2] The infiltration is successful due to the exploitation of the critical vulnerability that has already affected major companies and sectors all over the world.[3]

The critical zero-day vulnerability in the Apache Log4j Java-based login platform is the issue that affects the development framework. Threat actors can use the flaw and create a special JNDI string that, once read by the script, causes the platform connection and execution of the code.

Attackers can detect vulnerable devices and run codes supplied by the remote website or vis Base64 encoded strings. The exploitation and usage of the flaw can create major damage and consequences. Nevertheless, the issue was addressed with the Log4j 2.15 version and Log4j 2.16.0, but it is still used by threat actors that aim to install trojans, botnets, beacons, and other malware.

Leveraging RCE flaw to download malware payload

The research team from BitDefender reported the first ransomware installation using the Log4j exploit.[4] This attack uses the remote code execution vulnerability to get the payload of the malware, a NET binary from the server that helps with file encryption on the machine. Ransomware is an infection based on file-lockin functions that are achieved with army-grade encryption algorithms. Once common data gets encoded . khonsari appendix marks them all, and the ransom note is delivered.

The message from criminals who created the infection lists the options for the victim and urges them to pay up for the alleged file recovery. Bitcoin payment should be exchanged in the file recovery. The ransom note also indicates that the appendix is the name of this malware and that the modification of any files can lead to permanent losses. The same server where the threat actors stored this ransomware is related to Orcus Remote Access Trojan distribution.

Ransomware seems to only wipe files from the device

Ransomware analysis[5] shows that the Khonsari ransomware uses proper encryption and the encoding is secure, so the recovery of the affected data is likely impossible. However, the ransom note that should list all the options for the victim and contact information does not include any emails or other forms of connection.

Researchers think that this fact means the threat actors who deployed the ransomware do not care for the financial gains and only release the malware to affect machines. This is more likely a wiper rather than real ransomware based on cryptocurrency extortion.[6]

It is the first known ransomware installation that uses the Log4j exploit to directly drop the malware. However, researchers have already found attempts to release the Cobalt Strike beacons. These malware deployment attacks might get more advanced, and threat actors can use the exploit opportunities in the future for their attacks.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions