Khonsari Ransomware

The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that have not had Log4j updated.

The group’s first registration occurred in December 2021, which all indicates that the group was created to directly exploit Apache Log4j vulnerabilities, but this may be just the beginning, the group may broaden its scope.

Unlike groups that use RaaS tactics, Khonsari is a closed and exclusive group, which shows that their attacks are targeted at specific companies.

The malware is relatively simple and small, it weighs only 12 KB, this makes it virtually unnoticeable for antivirus, the group acts only with encryption and there is no file theft.

The group uses AES 128 encryption, and interestingly the decryption key is also encrypted, but RSA encryption is used.

The key stays in the ransom note that is opened automatically after encrypting files, the .khonsari extension is added to all encrypted files.

If the note is deleted, the files cannot be decrypted, because the key was deleted along with the note.

If the decryption key is deleted, only a company that specializes in recovering files encrypted by ransomware can recover the files.

The best defense against Khonsari ransomware is to keep Log4j up to date.

Recover Files Encrypted by Khonsari Ransomware

Recovery of files encrypted by Khonsari ransomware is possible even without the decryption key, Digital Recovery is capable of it.

With more than two decades in the data recovery market, we have developed the necessary experience to act in the most drastic data loss scenarios, which today is summed up as data loss by ransomware attack.

We can recover encrypted files on hard drives, SSDs, databases, storages (NAS, DAS, SAN), RAID systems, servers, virtual machines, among others.

All our processes are exclusive and customized for each client, during the whole process the client will be in contact with one of our specialists.

We make available to all our clients the confidentiality agreement (NDA).

Contact us and start the recovery process right now.

Digital Recovery helps companies recover data

Check out other posts

Do you need Data Recovery?

Speak directly to an expert now:

We are always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.

Discover the invisible vulnerabilities in your IT – with the 4D Pentest from Digital Recovery