April 19, 2016 By Larry Loeb 2 min read

Samsam ransomware gathered headlines in March of this year. It differentiated itself from other similar attacks by its method of propagation: Rather than load itself via a poisoned macro attached to an email, Samsam spread through infected servers.

Experts even believe that Samsam was behind the ransomware attacks on a Baltimore hospital in March. But there’s more to this threat than meets the eye.

A Look at the Ransomware Attacks

Talos noticed that this malware had certain characteristics. Samsam first breaks into one server and is sophisticated enough to proliferate across the network by finding targets that run Windows. It sneaks into that first foothold without the need for an individual to click anything.

JBoss is one application server that Samsam likes to exploit. Although it was originally developed by the open source community, it is now available in a commercial flavor, as well. JBoss is written in Java and can host business components developed in Java.

JexBoss, an open-source verification tool for finding JBoss vulnerabilities, is a great aid in allowing SamSam ransomware attacks to infect JBoss. JexBoss can drill into the JBoss server for the malware.

Talos found another tool, a component of REGeorg called tunnel.jsp, to be an infection vector for Samsam. REGeorg is an open-source framework used to create socks proxies for communication.

Digging Deeper

A Talos scan discovered roughly 3.2 million machines were at risk by running unpatched versions of JBoss. The company also looked for already-compromised machines on which ransomware could be deployed.

It found more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations. Some of these may have been victims of other malware campaigns.

Talos’s conclusion about the findings bears repeating. “With around 2,100 servers affected, there are a lot of stories about how this happened,” the blog stated. “But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often. Failures anywhere along the chain will ensure that this type of attack remains successful.”

While Talos recommended that external access to all servers that show signs of compromise be immediately removed until restoration can be performed, that’s only a stopgap measure. Mediation of the problem will be an ongoing process, ensuring that all systems are checked regularly and all patches applied to stop the ransomware’s spread.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today