Hackers Are Exploiting Server Vulnerabilities to Spread Ransomware

In ransomware attacks, cybercriminals usually try to trick users into running a program that infects their computers. However, large-scale ransomware attacks in 2016 revealed that hackers have devised a new way to deliver their malware — by targeting vulnerabilities in servers.

In a series of attacks during March and April 2016, hackers exploited a known vulnerability in servers running Red Hat’s JBoss software to install backdoors, which they then used to deliver ransomware known as Samsam. When researchers at Talos investigated the attacks, they found that more than 2,100 JBoss servers had backdoors installed, ready and waiting for the delivery of the ransomware or other malicious code. The compromised servers were located in a variety of organizations, including medical facilities, schools, government agencies, and aviation companies.

The vulnerability in the JBoss software is not new. Even though Red Hat has released an update that fixes it, around 3.2 million servers have not been patched, according to Talos. With that many potential victims, it is safe to say that cybercriminals will continue launching these attacks.

How the Attacks Are Being Carried Out

To carry out the attacks, hackers first scan servers connected to the Internet for signs of the vulnerability. When they find an unpatched JBoss server, they exploit the vulnerability to access the machine. The cybercriminals then use a tool called JexBoss to install web shells (i.e., small scripts) that let them remotely control the server. They also use the tool to open a backdoor through which they install the Samsam ransomware.

Samsam is designed to encrypt more than 325 different types of files in Windows systems using the Advanced Encryption Standard (AES) algorithm. Afterward, the ransomware encrypts the AES algorithm’s key with RSA-2048 bit encryption. If you do not have backups, the only way to get your files back is to pay the ransom.

To make matters worse, Samsam is a self-spreading ransomware program. A compromised server will try to infect any Windows computers connected to it (they do not have to be running JBoss), which can lead to a network-wide Samsam infection.

What You Can Do to Protect Your Business

To help safeguard your business from Samsam, follow these recommendations:

Keep your JBoss software up-to-date. With the vulnerability patched, cybercriminals cannot access your server.
Keep all other applications, including the operating system, up-to-date on each computer in your business. Hackers like to take advantage of unpatched computers. Do not give them that opportunity.
Use anti-malware software. It can help guard against known ransomware attacks and other kinds of malware threats.
Regularly back up files and systems, and make sure the backups can be successfully restored. Although this will not prevent a Samsam ransomware attack, you will not have to pay the ransom if one occurs.

Your IT service provider can analyze your IT environment and make other recommendations on how to protect your business against ransomware and other types of attacks. Together, you can develop a comprehensive plan that will help keep cybercriminals at bay.