Microsoft confirms new ransomware family deployed via Log4j vulnerability

Microsoft has become the second security vendor to report it has observed a new family of ransomware, known as Khonsari — which the company said has been used in attacks on non-Microsoft hosted Minecraft servers by exploiting the vulnerability in Apache Log4j.

In a Wednesday night update to its blog post about the Log4j vulnerability, Microsoft said it can confirm the findings of cyber firm Bitdefender, which earlier this week disclosed the existence of the new Khonsari ransomware family. Bitdefender said it had detected multiple attempts to deploy a Khonsari ransomware payload, which targets Windows systems by taking advantage of a flaw in the Log4j logging library.

The vulnerability, known as Log4Shell, was publicly disclosed last Thursday and is considered highly dangerous, as the flaw is both widespread and considered trivial to exploit.

Attacks on Minecraft servers

In its blog update Wednesday, Microsoft said that it has seen ransomware attacks on Minecraft servers that are not hosted by the company that involves the Khonsari ransomware family.

“Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender,” the company said in the blog post update.

“In Microsoft Defender Antivirus data, we have observed a small number of cases of this [ransomware] being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader,” Microsoft said in the post.

In those cases, the threat actor has sent a malicious message in-game to a vulnerable Minecraft server, and the message then exploits Log4Shell in order to execute a payload both on the server and on any vulner