Millions of Devices Face Ransomware

Tuesday, April 19, 2016 @ 03:04 PM gHale


PCs across multiple organizations could end up suffering from a file-encrypting ransomware attack because of out-of-date software, researchers said.

Ransomware attacks aimed at organizations have been increasingly common and bad guys are coming up with new methods to make their operations more effective and profitable.

RELATED STORIES
Another Ransomware Recovery Mode
Tools to Unlock Ransomware
New Ransomware Shows Expertise
Ransomware Protection Available

Attackers behind a piece of ransomware whose existence came to light in March, called “Samsam,” have been compromising out-of-date JBoss application servers and leveraging them to access other machines on the network in an effort to get them infected, said researchers at Cisco’s Talos.

Researchers said Samsam, or Samas, is the ransomware that encrypted data on computers belonging to MedStar hospitals in Maryland.

Attackers have been using JexBoss, an open source tool designed for finding and exploiting vulnerabilities in JBoss application servers, to gain access to the targeted network and encrypt files on Windows machines using Samsam ransomware.

Cisco Talos conducted an Internet scan and discovered roughly 3.2 million at-risk machines. A search for already compromised machines on which ransomware could end up deployed at any minute revealed more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations.

Some of the compromised systems had been running the Destiny school library management system from Follett. The vendor has been working on patching vulnerable systems and removing any backdoors they may have been infected with.

Cisco found more than one backdoor on compromised systems, which suggests the infected machines had been targeted several times by different threat actors. The list of webshells found by researchers includes mela, shellinvoker, jbossinvoker, zecmd, cmd, genesis, sh3ll and possibly Inovkermngrt and jbot.

“With around 2100 servers affected, there are a lot of stories about how this happened. But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often,” Cisco’s Alexander Chiu said in a blog post.

Cisco suggested to administrators that find webshells on their servers to disable external access to the infected machine to keep attackers out. Then, they should either completely reinstall the system and ensure all software is up to date, or restore the system to a previous point (before it was compromised) and patch all vulnerable applications.