April 19, 2016 By Larry Loeb 2 min read

Samsam ransomware gathered headlines in March of this year. It differentiated itself from other similar attacks by its method of propagation: Rather than load itself via a poisoned macro attached to an email, Samsam spread through infected servers.

Experts even believe that Samsam was behind the ransomware attacks on a Baltimore hospital in March. But there’s more to this threat than meets the eye.

A Look at the Ransomware Attacks

Talos noticed that this malware had certain characteristics. Samsam first breaks into one server and is sophisticated enough to proliferate across the network by finding targets that run Windows. It sneaks into that first foothold without the need for an individual to click anything.

JBoss is one application server that Samsam likes to exploit. Although it was originally developed by the open source community, it is now available in a commercial flavor, as well. JBoss is written in Java and can host business components developed in Java.

JexBoss, an open-source verification tool for finding JBoss vulnerabilities, is a great aid in allowing SamSam ransomware attacks to infect JBoss. JexBoss can drill into the JBoss server for the malware.

Talos found another tool, a component of REGeorg called tunnel.jsp, to be an infection vector for Samsam. REGeorg is an open-source framework used to create socks proxies for communication.

Digging Deeper

A Talos scan discovered roughly 3.2 million machines were at risk by running unpatched versions of JBoss. The company also looked for already-compromised machines on which ransomware could be deployed.

It found more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations. Some of these may have been victims of other malware campaigns.

Talos’s conclusion about the findings bears repeating. “With around 2,100 servers affected, there are a lot of stories about how this happened,” the blog stated. “But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often. Failures anywhere along the chain will ensure that this type of attack remains successful.”

While Talos recommended that external access to all servers that show signs of compromise be immediately removed until restoration can be performed, that’s only a stopgap measure. Mediation of the problem will be an ongoing process, ensuring that all systems are checked regularly and all patches applied to stop the ransomware’s spread.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today