The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that have not had Log4j updated.
The group’s first registration occurred in December 2021, which all indicates that the group was created to directly exploit Apache Log4j vulnerabilities, but this may be just the beginning, the group may broaden its scope.
Unlike groups that use RaaS tactics, Khonsari is a closed and exclusive group, which shows that their attacks are targeted at specific companies.
The malware is relatively simple and small, it weighs only 12 KB, this makes it virtually unnoticeable for antivirus, the group acts only with encryption and there is no file theft.
The group uses AES 128 encryption, and interestingly the decryption key is also encrypted, but RSA encryption is used.
The key stays in the ransom note that is opened automatically after encrypting files, the .khonsari extension is added to all encrypted files.
In case the note is deleted, the files cannot be decrypted as the key was deleted along with the note.
If the decryption key is deleted, only a company that specialises in recovering files encrypted by ransomware can recover the files.
The best defence against Khonsari ransomware is to keep Log4j up to date.
Recovery of files encrypted by Khonsari ransomware is possible even without the decryption key, Digital Recovery is capable of it.
With over two decades in the data recovery market, we have developed the expertise to perform in the most drastic data loss scenarios, which today boils down to data loss by ransomware attack.
We can recover encrypted files on HDDs, SSDs, Database, Storages (NAS, DAS, SAN), RAID Systems, Servers, Virtual Machines, among others.
All our processes are exclusive and customized for each client, during the whole process the client will be in contact with one of our specialists.
Our processes were developed based on GDPR (General Data Protection Regulation) and we provide all our customers with the confidentiality agreement (NDA).
Contact us and start the recovery process right now.