Computer Security JBoss Exploit Compromises Over 2,000 Computers at K-12...

JBoss Exploit Compromises Over 2,000 Computers at K-12 Schools Spreading Samsam Ransomware

jboss samsam ransomware on school computersIt's almost every day that some monumental event takes place due to the destructive forces of recent ransomware threats. Making its mark in the middle of April is the JBoss exploit, which has infected over 2,000 computers primarily located in schools among other organizations.

The JBoss infected systems are not only being faced with ransom notifications and encryption of files, but the infected computers are being instructed by a remote server to infect other computers with the Samsam ransomware. As we already know, Samsam ransomware is a self-propagating threat that has evolved into what we call CryptoWorms.

With over 2,000 infected computers serving as a virtual army, much like a botnet, to deliver and infect other computers with the Samsam ransomware, we could be on the verge of a new pandemic of self-spreading ransomware. According to Cisco's Talos threat-intelligence organization, about 3.2 million systems worldwide are at risk of infection from the latest ransomware exploit campaign.

The looming question of how and why it's mostly computers within K-12 schools that are infected with JBoss to spread Samsam Ransomware has a simple answer. Conveniently, the targeted systems within K-12 schools all run Follett's Destiny library-management software. Within Follett's software run on school systems, there is a vulnerability that is being exploited for versions 9.0 to 13.5, which covers thousands of schools. While Follett has provided a patch for their software to fix and close the vulnerability, there still remains a field of schools that have the outdated software or have already been compromised to the point that their systems are being remotely controlled to spread Samsam.

The systems compromised by JBoss and under the control of its servers usually have more than one Web shell. The implications of such may mean that the control servers have been compromised several other times by different hackers or cybercrooks. In knowing this, it tells us that the attackers who have already compromised a server can remotely control it giving cybercrooks the ability to pivot and move laterally within an internal network.

Any compromised hosts that are associated with JBoss-exploited servers should be taken down immediately, or it leaves the possibility for others to abuse the server in many different ways. While JBoss was the culprit of the case of spreading Samsam Ransomware in the past, the latest campaign to exploit school systems could reprise the threat with even greater consequences.

Currently, nearly thousands of schools have been put on high alert and advised to update their Follett software. Additionally, the outbreak of Samsam Ransomware is expected to reach more hospitals and other not-for-profit organizations. The same methods of extorting money from computer users and system administrators holds true with Samsam. It is in a company or school's best interest to perform proactive measures to thwart the threat of Samsam instead of deal with its self-spreading antics and large fees to recover files.

Loading...