Attackers trying to exploit the Log4j vulnerability have targeted almost 44% of corporate networks globally, according to Check Point.

Late last week, Apache disclosed and patched a remote code execution vulnerability in its popular Java logging library that’s used in nearly every enterprise app and service from vendors including Microsoft, Twitter, Amazon, and Apple, among others.

Wiz, the cloud security unicorn that discovered the Microsoft Cosmos DB vulnerability earlier this year, says more than 89% of all IT environments have vulnerable Log4j libraries.

“And in many of them, the dev teams are sure they have zero exposure — and are surprised to find out that some third-party component is actually built using Java,” Wiz co-founder and CTO Ami Luttwak said in an email to SDxCentral.

Meanwhile, the attackers continue finding novel ways to exploit the flaw, according to Check Point.

“Since Friday we witnessed what looks like an evolutionary repression with new variations of the original exploit being introduced rapidly — over 60 in less than 24 hours,” the security vendor’s threat researchers wrote in a Check Point blog updated today.

For example, attackers can exploit the vulnerability over HTTP or HTTPS, which gives them ways to bypass newly introduced protections. “It means that one layer of protection is not enough and only multi layered security posture would provide a resilient protection,” the blog says, calling Log4j “one of the most serious vulnerabilities” in recent years.

To this point, Check Point has blocked almost 1.3 million attempts to exploit Log4j, and of those, 46% were made by known malicious groups.

The growing number of exploits isn’t surprising, Gartner senior research director Mark Horvath said.

“One of the biggest source of new exploits is reverse-engineering patches, seeing what they are fixing and how, and then trying permutations to get around them,” he added. “While service patches are going out now, and security people are aware of this trick, it does mean this is likely to persist for some time.”

Threat researchers originally documented attackers using the security flaw to install coin miners, Cobalt Strike to enable credential theft and lateral movement, and steal data. But most agreed it was just a matter of time before ransomware attacks followed. And late Monday, it appeared that prediction may have become a reality when reports started surfacing that linked a ransomware attack against Kronos to the Log4j vulnerability.

While the HR software vendor said that a ransomware attack took down its Kronos Private Cloud over the weekend, Kronos hasn’t confirmed that this attack was related to Log4j. At press time, the company hadn’t responded to a request for comment.

Cybersecurity vendor Tenable reported that it is now seeing customers audit 1,000 systems per second, and identifying one system that is affected by Log4j per second.

“Just as we warned, Log4Shell is unleashing holy hell on businesses everywhere. And the worst is yet to come if organizations don’t take immediate action,” said Tenable CEO Amit Yoran, founding director of the U.S. Computer Emergency Readiness Team within the Department of Homeland Security.

Threat researchers are already seeing ransomware gangs take advantage of the security flaw, he wrote in an email to SDxCentral.

“Let me be clear, these ransomware activities are not going to go away — they will only increase like wildfire thanks in part to this new, perfect payload in the form of Log4Shell,” Yoran said. “Organizations need to take swift and decisive action as Log4Shell can and will completely undermine your security program.”

Jonathan Care, a senior research director at Gartner, said he expects more cybercrime to follow as attackers continue to exploit the vulnerability.

“Crimeware of all types is likely to manipulate this,” Care said, adding that cybersecurity practitioners will likely be dealing with the fallout for at least 12 months. “Low-grade spyware, cyberfraud are also likely. At this stage all we can say is this exploit is reproducible and highly effective. We are in the unfortunate situation of trying to understand the many varieties of weapons that could use gunpowder.”