Samsam ransomware gathered headlines in March of this year. It differentiated itself from other similar attacks by its method of propagation: Rather than load itself via a poisoned macro attached to an email, Samsam spread through infected servers.

Experts even believe that Samsam was behind the ransomware attacks on a Baltimore hospital in March. But there’s more to this threat than meets the eye.

A Look at the Ransomware Attacks

Talos noticed that this malware had certain characteristics. Samsam first breaks into one server and is sophisticated enough to proliferate across the network by finding targets that run Windows. It sneaks into that first foothold without the need for an individual to click anything.

JBoss is one application server that Samsam likes to exploit. Although it was originally developed by the open source community, it is now available in a commercial flavor, as well. JBoss is written in Java and can host business components developed in Java.

JexBoss, an open-source verification tool for finding JBoss vulnerabilities, is a great aid in allowing SamSam ransomware attacks to infect JBoss. JexBoss can drill into the JBoss server for the malware.

Talos found another tool, a component of REGeorg called tunnel.jsp, to be an infection vector for Samsam. REGeorg is an open-source framework used to create socks proxies for communication.

Digging Deeper

A Talos scan discovered roughly 3.2 million machines were at risk by running unpatched versions of JBoss. The company also looked for already-compromised machines on which ransomware could be deployed.

It found more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations. Some of these may have been victims of other malware campaigns.

Talos’s conclusion about the findings bears repeating. “With around 2,100 servers affected, there are a lot of stories about how this happened,” the blog stated. “But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often. Failures anywhere along the chain will ensure that this type of attack remains successful.”

While Talos recommended that external access to all servers that show signs of compromise be immediately removed until restoration can be performed, that’s only a stopgap measure. Mediation of the problem will be an ongoing process, ensuring that all systems are checked regularly and all patches applied to stop the ransomware’s spread.