Khonsari ransomware attacks Minecraft servers

Microsoft urged administrators of private Minecraft servers (located on their own hosting) to update to the latest versions as soon as possible, as they are being attacked by the Khonsari ransomware that exploits the critical Log4Shell vulnerability.

Back last week, the developers behind Minecraft at Mojang Studios released an emergency security update to address the critical bug CVE-2021-44228.

This issue, recently discovered in the Log4j logging library in recent weeks, has been talked about around the world. This vulnerability is also known as Log4Shell and has the potential to become one of the worst bugs in recent years.

In Minecraft, the Log4j library is used by the Java Edition by the game client and multiplayer servers. Microsoft has now warned that the new vulnerability is already being actively used to attack private servers.

The attacker sends a malicious in-game message to the vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute the payload placed by the attacker on both the server and connected vulnerable clients. We saw the use of a malicious Java class, which is the Khonsari ransomware and is executed in the context of javaw.exe, to then demand a ransom.told in Microsoft.

Microsoft 365 Defender Threat Intelligence and Microsoft Threat Intelligence Center (MSTIC) also report that they observed PowerShell-based reverse shells deployed at corporate endpoints, where Log4j exploits targeting Minecraft servers were just an entry point.

As a result, Microsoft has asked all administrators to immediately install the latest updates to protect against attacks, and recommends that players connect only to trusted Minecraft servers and use the official and latest version of the client. Minecraft: Java Edition server administrators can find all necessary update instructions here.

At first glance, this malware appears to be exploiting the Log4Shell problem for ransomware attacks. However, in reality, Khonsari is more like a wiper, that is, it is adestructive malware that deliberately encrypts data beyond recovery. The fact is that the victims cannot contact the malware operators to pay the ransom (there are simply no contacts in the message that the extortionists leave behind), which means they cannot save their information.

Apparently, the attacks on Minecraft servers that have begun now are also carried out solely for the sake of griefing and trolling, and the malware operators do not pursue financial gain.

Let me remind you that we wrote that Researchers discovered ALPHV ransomware written in Rust, as well as that Chaos ransomware attacks Minecraft players.

Helga Smith

I was always interested in computer sciences, especially data security and the theme, which is called nowadays "data science", since my early teens. Before coming into the Virus Removal team as Editor-in-chief, I worked as a cybersecurity expert in several companies, including one of Amazon's contractors. Another experience: I have got is teaching in Arden and Reading universities.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button