[MART] - Daily Diary #413 - Meet Khonsari, A New Ransomware Family Delivered Via Log4J flaw

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

12/16/2021 - Diary entry #413:

A new Ransomware family targeting Windows OS emerged after the Log4J vulnerability disclosure. Named Khonsari, it's a .NET payload that has 12KB and contains only the most basic functionality required to encrypt files. Khonsari uses the algorithm AES 128 CBC and renames each file with the extension ".khonsari".

As soon as it's executed, Khonsari will list all available drives and encrypt them entirely, except the C:\ drive. On the C:\ drive, it will encrypt only the following folders: Documents, Videos, Pictures, Downloads, and Desktop. Then, it drops a ransom note demanding a Bitcoin payment to recover the compromised data.

The distribution of Khonsari was limited, and the server that originally delivered the Ransomware - after exploiting the Log4J vulnerability - is now serving a generic Backdoor. The simplicity of this new threat suggests that the threat actors are experimenting with this new attack vector and Khonsari may evolve from now on.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211216/afcf3e86/attachment.htm>