A critical Apache Log4j vulnerability took the world by storm this week, and it is now used by threat actors as part of their ransomware attacks.
Last Friday, a researcher released an exploit for the Log4j vulnerability, dubbed “Log4Shell”. after previously being seen targeting vulnerable Minecraft servers.
While a patch was quickly released to fix the vulnerability, researchers and threat actors quickly began to find and exploit the vulnerable devices. With how quickly it was adopted, it was only a matter of time before threat actors used it to deploy ransomware.
It didn’t take long, as malicious actors relaunched an older ransomware named TellYouThePass on Monday and began distributing it through Log4j exploits.
Shortly after, another ransomware (or wiper) called Khonsari was discovered and we later learned that it was targeting vulnerable Minecraft servers.
Finally, a report today shows how the Conti ransomware gang uses the Log4j vulnerability to quickly gain access to internal VMWare vCenter servers in order to encrypt virtual machines.
More ransomware news
While the Log4j vulnerability has occupied most of the cybersecurity community’s time this week, other important developments have taken place as well.
Romanian police have arrested a ransomware subsidiary for hacking and stealing sensitive information from the networks of several leading companies around the world.
Emotet has also started distributing Cobalt Strike beacons as the primary payload, allowing ransomware gangs to access compromised networks faster to carry out attacks.
We have also learned that Operation Hive Ransomware is emerging as a major player after violating hundreds of companies in just four months.
Finally, a massive ransomware attack on HR service provider Kronos has had a significant impact on many companies that use them for timekeeping and payroll. We have also witnessed Conti’s attack on the McMenamins Breweries, showing that nothing is sacred.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @DanielGallagher, @PolarToffee, @jontvdw, @malwrhunterteam, @ demonslay335, @VK_Intel, @malwareforme, @serghei, @Seifree, @OvenObytes, @struppigel, @Ionut_Ilascu, @fwosar, @BleepinComputer, @billtoulas, @SANGFOR, @CuratedIntel, @ 80vul, @ 1ZRR4H, @AdvIntel, @MsftSecIntel, @GroupIB_GIB, @Bitdefender_Ent, @ Cryptolaemus1, @JRoosen, @BroadcomS, @ fbgwls245, @Friend_A_,@JakubKroustek, and @pcrisk.
December 11, 2021
New STOP Ransomware variant
Jakub Kroustek found a new variant of STOP ransomware that adds the .yjqs extension to encrypted files.
December 13, 2021
Police arrest ransomware affiliate behind high-profile attacks
Romanian law enforcement authorities have arrested a ransomware affiliate on suspicion of hacking and stealing sensitive information from the networks of several leading companies around the world, including a large Romanian IT company with customers of retail, energy and utility sectors.
Kronos ransomware attack can lead to weeks of HR solutions downtime
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of its cloud-based solutions for weeks.
December 14, 2021
New ransomware is now deployed in Log4Shell attacks
The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.
New White Rabbit ransomware
Michel gillespie is looking for a sample of the new White Rabbit ransomware that adds the .scrypt extension.
December 15, 2021
Emotet starts dropping Cobalt Strike again for faster attacks
Just in time for the holidays, the famous Emotet malware once again directly installs Cobalt Strike beacons for quick cyber attacks.
New STOP Ransomware variant
PC risk found a new variant of STOP ransomware that adds the .Shgv extension to encrypted files.
December 16, 2021
Hive ransomware hits big with hundreds of hacks in four months
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.
McMenamins Breweries Affected by Conti Ransomware Attack
The Portland Brewery and the McMenamins hotel chain suffered a Conti ransomware attack over the weekend that disrupted the company’s operations.
Microsoft: Khonsari ransomware hits self-hosted Minecraft servers
Microsoft is urging administrators of self-hosted Minecraft servers to upgrade to the latest version to defend against Khonsari ransomware attacks exploiting critical security vulnerability Log4Shell.
Noberus: Technical Analysis Shows Sophistication of New Rust-Based Ransomware
Symantec, a division of Broadcom Software, is tracking this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by attackers during this attack. This would appear to show that this ransomware was active earlier than previously reported, with MalwareHunterTeam stating BipComputer they first saw this ransomware on November 21.
New STOP Ransomware variant
PCrisk has found a new variant of STOP ransomware that adds the .hudf extension to encrypted files.
December 17, 2021
Conti ransomware uses Log4j bug to hack VMware vCenter servers
The Conti ransomware operation uses the critical Log4Shell exploit to quickly access internal instances of VMware vCenter Server and encrypt virtual machines.
Logistics giant warns of BEC emails following ransomware attack
Hellmann Worldwide is warning customers of an increase in fraudulent calls and emails regarding payment transfers and bank account changes after a recent ransomware attack.
TellYouThePass ransomware relaunched on Linux, Windows attacks Log4j
Threat actors have revived an older, relatively inactive ransomware family known as TellYouThePass, deploying it in attacks on Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library.
New variant of Dharma Ransomware
dnwls0719 found a new variant of the Dharma ransomware that adds the .C1024 extension to encrypted files.
