We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:MSIL/Khonsari.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is human-operated ransomware. Khonsari ransomware affects files on drives connected to your device, as well as in certain folders on the C drive, such as Desktop. Files targeted by this ransomware are encrypted and are given a new file extension ending in ".khonsari".
Read the following blogs for more information about Log4Shell:
- Microsoft’s response to CVE 2021-44228 Apache log4j2
- Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
In addition, the following page provides information on ransomware threats:
There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
To help reduce the impact of this threat, you can:
- Confirm that this server has Apache and the Log4j component installed.
- Check for possible post-exploitation activities, such as unusual behavior from users with elevated privileges or suspicious spawned processes.
- Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates. Update the Log4j component to log4j-2.17.0 or ensure that the device is set to start with log4j2.formatMsgNoLookups set to True.
- Contact your incident response team, or contact Microsoft support for investigation and remediation services
Microsoft Defender Antivirus detects and remediates files associated with Khonsari ransomware. Microsoft Defender for Endpoint detects behaviors associated with Khonsari pre-ransom activities. Additionally, using Tamper Protection can help defend against turning off security tools. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
