Second ransomware family exploiting Log4j spotted in U.S., Europe

Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe.

A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family—which has been revived with the discovery of the vulnerability in the widely used Log4j logging software. It’s now being used to target Windows and Linux systems, researchers said. TellYouThePass becomes the second family of ransomware observed by multiple researchers to exploit the vulnerability in Log4j, along with the Khonsari ransomware.

Beyond China

And while previous reports indicated that TellYouThePass was mainly being directed against targets in China, a researcher at Sophos told VentureBeat that the company has observed the attempted delivery of TellYouThePass ransomware both inside and outside of China—including in the U.S. and Europe.

“Systems in China were targeted, as well as some hosted in Amazon and Google cloud services in the U.S. and at several sites in Europe,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in an email to VentureBeat on Tuesday.

Sophos detected attempts to deliver TellYouThePass payloads on December 17 and December 18, Gallagher said. The company initially disclosed its detection of TellYouThePass ransomware in a blog post Monday evening.

The first report of TellYouThePass ransomware exploiting the Log4j vulnerability, known as Log4Shell, appears to have come from the head of a Chinese cybersecurity group, KnownSec 404 Team, on December 12. The attempted deployment of TellYouThePass in conjunction with Log4Shell was subsequently confirmed by additional researchers, according to researcher community Curated Intelligence.

In a blog post Tuesday, Curated Intelligence said its members can now confirm that TellYouThePass has been seen exploiting the vulnerability “in the wild to target both Windows and Linux systems.”

Additionally, the TellYouThePass ransomware is “capable of lateral movement through the theft of [Secure Socket Shell] credentials and OS credential dumping to propagate to other systems it can authenticate with on the local network,” Curated Intelligence said in the post.

Ransomware, old and new

TellYouThePass had most recently been observed in July 2020, Curated Intelligence said. It joins Khonsari, a new family of ransomware identified in connection with exploits of the Log4j vulnerability.

First disclosed by Bitdefender, Khonsari targets Windows systems and has been confirmed by cybersecurity firms including Microsoft. In its post Monday, Sophos said it has observed and blocked a delivery vehicle for Khonsari, prior to deployment of the ransomware. Researchers have not reported that Khonsari includes a way for a ransom payment to be made, suggesting that it’s “effectively a wiper” used to delete hard drive data, Emsisoft threat analyst Brett Callow said on Twitter.

Still, the detection of the two ransomware families “shows that some ransomware operators are moving forward with Log4j as part of their deployment scheme,” Gallagher told VentureBeat.

In addition to ransomware operators, the vulnerability in the open-source logging library has been exploited by brokers looking to sell their access to ransomware affiliates, according to researchers.

Ransomware attempts utilizing the Log4j vulnerability are far from widespread at this point, however. Researchers at Cisco Talos, for instance, have not observed any activity resulting in ransomware being deployed thus far, threat researcher Chris Neal told VentureBeat.

“After initial access, these attackers will commonly choose to gain persistence, and then minimize their footprint to prevent detection and perform reconnaissance,” Neal said in an email. “This type of behavior may account for the lack of ransomware campaigns utilizing this exploit being observed.”

Notably, Talos researchers have seen Log4j exploit attempts that led to connections back to previously known malicious Cobalt Strike servers—a common tactic both for ransomware operators and some state-sponsored actors, he said. Cobalt Strike is a popular tool used for malicious hacking, enabling activities such as remote reconnaissance and lateral movement.

Shifting from crypto mining

Even before the discovery of the widespread and trivial-to-exploit vulnerability in Log4j, Veeam chief technology officer Danny Allan expected that 2022 would see a greater shift from cryptocurrency mining to ransomware as the predominant activity for malicious actors.

Ransomware attacks, which by some estimates surged by 148% during the first three quarters of 2021, just offer “a much faster path to ROI for the threat actor” than crypto mining, Allan told VentureBeat.

And if that shift was likely even prior to the disclosure of Log4Shell, it’s definitely true now, he said. Allan expects that exploits for Log4j will be pre-built into “ransomware-as-a-service” packages, which threat actors are able to acquire in order to make it easier to carry out attacks.

Researchers say a significant amount of the Log4j exploitation activity so far has involved mining operations for cryptocurrencies such as Bitcoin. But that also doesn’t preclude the possibility of ransomware operators later using the crypto miners’ initial access to launch an attack.

“Some of these small things, like a crypto miner, can end up just being that first stage of attack,” said Roger Koehler, vice president of threat ops at Huntress. “Because they can go and sell that access on the black market. And somebody bigger and badder may buy that and do something more detrimental, like a ransomware attack.”

Ultimately, “those crypto miners can seem small, but that can escalate to something bigger,” Koehler told VentureBeat.

Access brokers

Along with attempted delivery of TellYouThePass and Khonsari, researchers at security firms including Microsoft and Sophos have seen activities by suspected “access brokers.” These threat actors work to establish a backdoor in corporate networks that can later be sold to ransomware operators. Log4j exploits by ransomware gang Conti have been observed, as well.

Microsoft and cyber firm Mandiant also said last week that they’ve observed activity from nation-state groups — tied to countries including China and Iran — seeking to exploit the Log4j vulnerability. Microsoft said that an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit.”

At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

Security firm Check Point reported Monday it has now observed attempted exploits of vulnerabilities in the Log4j logging library on more than 48% of corporate networks worldwide, up from 44% last Tuesday.

Widespread vulnerability

Many applications and services written in Java are potentially vulnerable due to the flaws in Log4j prior to version 2.17, which was released last Friday. The flaws can enable remote execution of code by unauthenticated users.

Version 2.17 of Log4j is the third patch for vulnerabilities in the software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.

Along with enterprise products from major vendors including Cisco, VMware, and Red Hat, the vulnerabilities in Log4j affect many cloud services. Research from Wiz provided to VentureBeat suggests that 93% of all cloud environments were at risk from the vulnerabilities, though an estimated 45% of vulnerable cloud resources have been patched at this point.

Looking ahead, there’s an “extremely high” likelihood of ransomware attacks deriving from the vulnerability in the coming weeks and months, Wiz cofounder and CEO Assaf Rappaport told VentureBeat. “It’s only a matter of time, if it hasn’t started already,” he said.