Samsam Ransomware Campaign Exploits Backdoor in JBoss Servers
Ransomware, a frightening and invasive threat in which an entire computer is held hostage until monetary demands are met, is on the rise and impacting a wide number of vertical markets. In addition to millions of dollars in profits earned by the criminals behind ransomware, the money lost through downtime and loss of data is even greater and can be devastating for any business.
A recent blog post from the Cisco Talos team examines the Samsam ransomware campaign, which targets server vulnerabilities to infiltrate a network. Unlike most types of ransomware, which use phishing and exploit kits to invite unsuspecting users to install nefarious files, SamSam leverages JexBoss, an open source tool for testing and exploiting JBoss application Servers, as the backdoor into a network. Once entry is gained, the hackers are able to encrypt and hold hostage multiple Windows systems using the Samsam ransomware.
The healthcare industry has been a particular target for Samsam, and the Hollywood Presbyterian Medical Center is one of the most notable victims. The organization’s network and files were held hostage in February until the hospital paid out $17,000 in bitcoins to restore its systems. And earlier this month Union Memorial Hospital in Balitmore was attacked by Samsam, with a price tag of $18,500 in bitcoins to unlock its systems.
In response to the spate of attacks, Cisco Talos began examining the JBoss vectors compromised in the attacks. After an initial Internet scan, the group found an alarming 3.2 million machines at risk, along with more than 2,100 backdoors already installed across close to 1,600 IP addresses. The group has spent this month notifying the victims and potential victims, which include schools, governments and aviation companies.
According to the team, many of the victims had the Follett Destiny software installed, a Library Management System for tracking school library assets used globally, mostly by K-12 schools. Follett has a patch for the vulnerability in place and is reaching out to customers at risk.
Cisco Talos has also published detailed information about common webshells being used to create backdoors into JBoss servers. According to the group, “Webshells are a major security concern as it indicates an attacker has already compromised this server and can remotely control it. As a result, a compromised web server could be used to pivot and move laterally within an internal network. Given the severity of this problem, a compromised host should be taken down immediately as this host could be abused in a number of ways. These servers are hosting JBoss which has been recently involved in a high profile ransomware campaign.”
Patching is of course an immediate way to address vulnerabilities. But the severity and reach of the Samsam ransomware campaign should also serve as a reminder of the importance of having a proper backup and recovery plan in place, should an attack occur. In many cases, companies with proper backup can not only continue to operate seamlessly during an attack, but can recover sensitive data and files without giving in to ransom demands, saving valuable time and money.