Microsoft confirms new ransomware family deployed via Log4j vulnerability

Hear from CIOs, CTOs, and other senior and C-level executives on AI data and strategy at the Future of Work Summit on January 12, 2022. Learn more

Microsoft has become the second security vendor to report that it has observed a new family of ransomware, known as Khonsari, which the company claims has been used in attacks on non-Microsoft-hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

In a Wednesday night update on his blog. mail About the Log4j vulnerability, Microsoft said it can confirm the recommendations from the cyber company Bitdefender, which earlier this week revealed the existence of the new Khonsari ransomware family. Bitdefender said it had detected multiple attempts to implement a Khonsari ransomware payload, targeting Windows systems by exploiting a flaw in the Log4j registry library.

The vulnerability, known as Log4Shell, was publicly disclosed last Thursday and is considered highly dangerous as the flaw is widespread and considered trivial to exploit.

Attacks on Minecraft servers

In its blog update on Wednesday, Microsoft said that it has seen ransomware attacks on Minecraft servers that are not hosted by the company that involve the Khonsari ransomware family.

“Microsoft can confirm public reports that the Khonsari ransomware family was delivered as a post-exploitation payload, as discussed by Bitdefender,” the company said in the blog post update.

“In the Microsoft Defender Antivirus data, we have seen a small number of cases of this [ransomware] being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 through the use of a third-party Minecraft mod loader, ”Microsoft said in the post.

In those cases, the threat actor has sent a malicious in-game message to a vulnerable Minecraft server, and the message then exploits Log4Shell to run a payload on both the server and any vulnerable clients that are connected, the company said. .

“We observed that the exploit leads to a malicious Java-class file, the Khonsari ransomware, which is then run in the context of javaw.exe to rescue the device,” Microsoft said.

Compromise risk

The vulnerability in Log4j was initially discovered in the Java edition of Minecraft, according to reports. The hugely popular game is owned by Microsoft. TO mail on the Minecraft blog on Friday he had informed users of the Log4j vulnerability and urged users of the Java edition to upgrade to the patched version, saying that “this vulnerability represents a potential risk of your computer being compromised.” .

Microsoft’s new disclosure today follows the company’s report Tuesday that it has observed multiple cybercriminal groups seeking to establish network access by exploiting Log4Shell, with the aim of subsequently selling that access to ransomware operators. The arrival of these “access brokers,” which have been linked to ransomware-as-a-service affiliates, suggests that there could be a “surge in human-operated ransomware” against Windows and Linux systems, the company said.

Additionally, Microsoft said in the previous update that it has observed activity from nation-state groups around the Log4j vulnerability, including the activities of an Iranian group that has previously deployed ransomware.

‘Not very widespread’

Earlier this week, Bitdefender reported that it has seen multiple attempts to implement the new Khonsari ransomware, named after the extension found in encrypted payload files. However, “Khonsari is not very widespread at the moment,” Martin Zugec, Bitdefender’s director of technical solutions, said in an email to VentureBeat on Tuesday.

Researchers have also told VentureBeat that they have observed attackers who could lay the groundwork for launching ransomware in various ways, such as implementing privilege escalation tools and bringing malicious Cobalt Strike servers online in recent days. Cobalt Strike is a popular tool for enabling remote recognition and lateral movement in ransomware attacks.

On Saturday, Microsoft reported seeing the installation of Cobalt Strike through the exploitation of the Log4j vulnerability.

Still, researchers have said they expect more ransomware attacks as a result of the vulnerability in Log4j. Many applications and services written in Java are potentially vulnerable to Log4Shell, which can allow remote code execution by unauthenticated users. Researchers at cybersecurity giant Check Point said they have observed attempts to exploit the Log4j vulnerability in more than 44% of corporate networks worldwide.

Ransomware as a service

In Tuesday’s blog post update, Microsoft’s threat research teams said they “have confirmed that various tracked activity groups acting as access agents have begun using the vulnerability to gain initial access to target networks. “.

“These access agents then sell access to these networks to ransomware affiliates as a service,” Microsoft researchers said in the post.

Ransomware-as-a-service operators rent ransomware variants to other attackers, saving them the effort of creating their own variants.

At the time of writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

Ransomware has already affected a growing number of companies. A recent CrowdStrike survey found that 66% of organizations had experienced a ransomware attack in the past 12 months, up from 56% in 2020.

Meanwhile, in Wednesday’s post update, Microsoft said that “while it is rare for Minecraft to be installed on enterprise networks, we have also observed PowerShell-based reverse shells being released to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. “

“These techniques are typically associated with business compromises with the intention of lateral movement,” the company said. “Microsoft has not observed any tracking activity for this campaign at this time, indicating that the attacker may be gaining access for further use.”


VentureBeat’s mission is to be a digital urban plaza for technical decision makers to gain insight into transformative technology and transact. Our site offers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • updated information on the topics of your interest
  • our newsletters
  • Exclusive content from thought leaders and discounted access to our treasured events, such as Transform 2021: Learn more
  • network features and more

Become a member

Leave a Comment