April 19, 2016 By Larry Loeb 2 min read

Samsam ransomware gathered headlines in March of this year. It differentiated itself from other similar attacks by its method of propagation: Rather than load itself via a poisoned macro attached to an email, Samsam spread through infected servers.

Experts even believe that Samsam was behind the ransomware attacks on a Baltimore hospital in March. But there’s more to this threat than meets the eye.

A Look at the Ransomware Attacks

Talos noticed that this malware had certain characteristics. Samsam first breaks into one server and is sophisticated enough to proliferate across the network by finding targets that run Windows. It sneaks into that first foothold without the need for an individual to click anything.

JBoss is one application server that Samsam likes to exploit. Although it was originally developed by the open source community, it is now available in a commercial flavor, as well. JBoss is written in Java and can host business components developed in Java.

JexBoss, an open-source verification tool for finding JBoss vulnerabilities, is a great aid in allowing SamSam ransomware attacks to infect JBoss. JexBoss can drill into the JBoss server for the malware.

Talos found another tool, a component of REGeorg called tunnel.jsp, to be an infection vector for Samsam. REGeorg is an open-source framework used to create socks proxies for communication.

Digging Deeper

A Talos scan discovered roughly 3.2 million machines were at risk by running unpatched versions of JBoss. The company also looked for already-compromised machines on which ransomware could be deployed.

It found more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations. Some of these may have been victims of other malware campaigns.

Talos’s conclusion about the findings bears repeating. “With around 2,100 servers affected, there are a lot of stories about how this happened,” the blog stated. “But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often. Failures anywhere along the chain will ensure that this type of attack remains successful.”

While Talos recommended that external access to all servers that show signs of compromise be immediately removed until restoration can be performed, that’s only a stopgap measure. Mediation of the problem will be an ongoing process, ensuring that all systems are checked regularly and all patches applied to stop the ransomware’s spread.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today