The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that have not had Log4j updated.
The group’s first registration occurred in December 2021, which all indicates that the group was created to directly exploit Apache Log4j vulnerabilities, but this may be just the beginning, the group may broaden its scope.
Unlike groups that use RaaS tactics, Khonsari is a closed and exclusive group, which shows that their attacks are targeted at specific companies.
The malware is relatively simple and small, it weighs only 12 KB, this makes it virtually unnoticeable for antivirus, the group acts only with encryption and there is no file theft.
The group uses AES 128 encryption, and interestingly the decryption key is also encrypted, but RSA encryption is used.
The key stays in the ransom note that is opened automatically after encrypting files, the .khonsari extension is added to all encrypted files.
If the note is deleted, the files cannot be decrypted, because the key was deleted along with the note.
If the decryption key is deleted, only a company that specializes in recovering files encrypted by ransomware can recover the files.
The best defense against Khonsari ransomware is to keep Log4j up to date.
Recover Files Encrypted by Khonsari Ransomware
Recovery of files encrypted by Khonsari ransomware is possible even without the decryption key, Digital Recovery is capable of it.
With more than two decades in the data recovery market, we have developed the necessary experience to act in the most drastic data loss scenarios, which today is summed up as data loss by ransomware attack.
We can recover encrypted files on hard drives, SSDs, databases, storages (NAS, DAS, SAN), RAID systems, servers, virtual machines, among others.
All our processes are exclusive and customized for each client, during the whole process the client will be in contact with one of our specialists.
We make available to all our clients the confidentiality agreement (NDA).
Contact us and start the recovery process right now.