Microsoft confirms new ransomware family implemented via Log4j vulnerability

Hear from CIOs, CTOs and other C-level and senior executives about data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Microsoft has become the second security vendor to report that it has observed a new family of ransomware known as Khonsari – which the company said has been used in attacks on Minecraft servers by exploiting the vulnerability in Apache Log4j.

In an update to a blog post about the vulnerability on Wednesday night, Microsoft said it can confirm the findings of the cyber firm Bitdefender, which earlier this week revealed the existence of the new Khonsari ransomware family. Bitdefender said it had detected several attempts to implement a Khonsari ransomware payload targeted at Windows systems by exploiting an error in the Log4j logging directory. The vulnerability, known as Log4Shell, was announced last Thursday.

Attacks on Minecraft servers

In its blog update on Wednesday, Microsoft said it has seen ransomware attacks on Minecraft servers not hosted by the company involving the Khonsari ransomware family.

“Microsoft can confirm public reports that the Khonsari ransomware family will be delivered as payload after exploitation, as discussed by Bitdefender,” the company said in the blog post update.

“In Microsoft Defender Antivirus data, we have observed a small number of cases of this [ransomware] will be launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 through the use of a third-party Minecraft mods loader, ā€¯Microsoft said in the post.

In these cases, the threat actor has sent a malicious message in the game to a vulnerable Minecraft server, and the message then exploits Log4Shell to perform a payload both on the server and on any vulnerable clients connected, the company said.

“We observed exploitation that led to a malicious Java class file, which is Khonsari ransomware, which is then executed in conjunction with javaw.exe to fix the device,” said Microsoft.

The vulnerability in Log4j was initially discovered in the Java version of Minecraft, according to reports. The hugely popular game is owned by Microsoft. A post on the Minecraft blog on Friday had informed users about the Log4j vulnerability and urged Java users to update to the patched version, saying that “this vulnerability poses a potential risk of your computer being compromised.”

The new revelation from Microsoft today follows the company’s report on Tuesday that it has observed several cybercrime groups seeking to establish network access by exploiting Log4Shell, with the aim of later selling this access to ransomware operators. The arrival of these “access brokers”, which have been linked to ransomware-as-a-service affiliates, suggests that an “increase in human-driven ransomware” may follow against both Windows and Linux systems, he said. the company.

In addition, Microsoft said in the previous update that it has observed activity from nation-state groups around the Log4j vulnerability, including activities from an Iranian group that has previously implemented ransomware.

‘Not widespread’

Earlier this week, Bitdefender reported that it has seen several attempts to implement the new Khonsari ransomware, named after the expansion found in the payload’s encrypted files. But “Khonsari is not widespread at this time,” Martin Zugec, director of technical solutions at Bitdefender, said in an email to VentureBeat on Tuesday.

Researchers have also told VentureBeat that they have observed that attackers potentially lay the groundwork for launching ransomware in a number of ways, such as implementing privilege escalation tools and bringing malicious Cobalt Strike servers online in recent days. Cobalt Strike is a popular tool for enabling remote reconnaissance and lateral movement in ransomware attacks.

On Saturday, Microsoft had reported seeing the installation of Cobalt Strike through exploiting the Log4j vulnerability.

All in all, researchers have said that they expect more ransomware attacks due to the vulnerability of Log4j, as the bug is both widespread and considered trivial to exploit. Many applications and services written in Java are potentially vulnerable to Log4Shell, which could allow remote code execution by unauthorized users. Researchers at cybersecurity giant Check Point said they have observed attempts to exploit Log4j vulnerability on more than 44% of the company’s network worldwide.


In the blog post update Tuesday, Microsoft’s threat research team said they “have confirmed that several tracked activity groups acting as access brokers have started using the vulnerability to gain initial access to target networks.”

“These access brokers then sell access to these networks to ransomware-as-a-service affiliates,” Microsoft researchers said in the post.

Ransomware-as-a-service operators rent out ransomware variants to other attackers, saving them the hassle of creating their own variants.

At the time of this writing, there has been no public disclosure of a successful ransomware breach exploiting the vulnerability in Log4j.

Ransomware has already hit a growing number of companies. A recent study by CrowdStrike found that 66% of organizations had experienced a ransomware attack in the previous 12 months, up from 56% by 2020.

Meanwhile, Microsoft said in the mail update on Wednesday that “while it is uncommon for Minecraft to be installed in corporate networks, we have also observed PowerShell-based reverse shells being dropped on Minecraft client systems via the same malicious messaging technology, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. “

“These techniques are typically associated with business compromises with the intention of moving across,” the company said. “Microsoft has not observed any follow-up activity from this campaign so far, indicating that the attacker may be collecting access for later use.”


VentureBeat’s mission is to be a digital marketplace for tech makers to learn about transformative technology and trade. Our site provides essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to join our community to access:

  • updated information on topics of interest to you
  • our newsletters
  • gated thoughtful content and reduced access to our valued events, such as Transformation 2021: Learn more
  • networking features and more

sign up

Leave a Comment