The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.
Yesterday, BitDefender reported that they found the first ransomware family being installed directly via Log4Shell exploits.
Once loaded, it would download a.NET binary from the same server to install new ransomware [VirusTotal] named ‘Khonsari.
Ransomware expert Michael Gillespie told BleepingComputer that Khonsari uses valid encryption and is secure, meaning that it is not possible to recover files for free.
Emsisoft analyst Brett Callow pointed out to BleepingComputer that the ransomware is named after and uses contact information for a Louisiana antique shop owner rather than the threat actor.
It is likely that more advanced ransomware operations are already using the exploits as part of their attacks.