Security researchers have found evidence that state-sponsored groups, as well as the group behind the Khonsari ransomware family, are all exploiting the Log4j vulnerability.
In a report on Monday, Bitdefender's Martin Zugec wrote that he saw attacks on Sunday against systems running the Windows operating system. These attacks were attempting to deploy Khonsari.
Zugec toldZDNetthat Khonsari is relatively new ransomware and is considered basic -- compared to the sophistication of professional ransomware-as-a-service groups.
"Most likely, it is a threat actor experimenting with this new attack vector. However, that doesn't mean that more advanced actors are not looking at exploiting the Log4j vulnerability; they most assuredly are," Zugec explained. "Instead of looking for the shortest route to monetization, they will use this window of opportunity to gain access to the networks and start preparing for a full-scale larger attack."
"If you haven't patched already, you may already have uninvited, dormant guests in your network," Zugec added.
Cado Security released its own report on the ransomware, noting that Khonsari "weighs in at only 12KB and contains only the most basic functionality required to perform its ransomware objective."
"Its size and simplicity is also a strength, however; at the time we ran the malware dynamically, it wasn't detected by the system's built-in antivirus," Cado's Matt Muir explained.
Cado Security CTO Chris Doman said the distribution of Khonsari was limited, and the server that originally delivered the ransomware is now serving a more generic backdoor.
"As others have noted, the contact information in the ransomware note are likely to be fake, and possibly even a false flag. Microsoft has reported that they have seen CobaltStrike delivered -- a backdoor favored by targeted ransomware gangs. And Sekoia have said that the LockBit ransomware crew are likely looking to exploit the vulnerability too," Doman said.
Ransomware expert Brett Callow called Khonsari "skid-level ransomware" but noted that it's safe to assume other actors attempting to exploit this vulnerability will be more advanced.
"Not all will be ransomware gangs. Threat actors of all stripes are attempting to find ways to use Log4j to their advantage," Callow said.
McAfee Enterprise and FireEye Chief Scientist Raj Samani toldZDNetthat most of the payloads attacking Log4j are predominantly nuisances. But the ease with which Khonsari can be deployed -- and the prevalence of vulnerable systems -- means payloads could become more destructive.
"We do expect unpatched systems to continue to be exploited with a high likelihood of ransomware as a malicious payload," said McAfee Enterprise and FireEye head of advanced threat research Steve Povolny.
Web servers are the most common systems under attack right now because they're easy to exploit and have a good return on investment, said ESET's Marc-