SAMSAM Ransomware Moves from Healthcare Industry to Schools

Cisco’s security team, Talos, released another warning about SAMSAM ransomware. This time, it went from attacking the healthcare industry to the education sector after it was found infecting school systems through JBoss vulnerabilities. “Recently, a large-scale ransomware campaign delivering SAMSAM changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat”, said Cisco on their blog post. According to the IR Services Team, Talos began investigating more on the SAMSAM ransomware due to recent customer feedback. A closer look into the JBoss vectors led them to the discovery of approximately 3.2 million servers at risk of infection due to poor patching practices.

[READ: SAMSAM Ransomware Hits Healthcare Industry]

The JBoss vulnerability that SAMSAM used was patched many years ago, however, due to older, unpatched applications, several systems—including Follet’s Learning Destiny Library software—was hit. More findings led to the detection of 2,100 installed backdoors across 1,600 IP addresses. The Follet’s Destiny software is a large Library Management system designed to track school library assets and is used in K-12 schools in the US and across the globe. Cisco stated that Follet had an impressive response. “Based on our internal systems security monitoring protocol, Follet identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers. Follet takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve”, Follet stated.

Follet also captured any non-Destiny files that were present on the system to help remove any existing backdoors on the systems. Additionally, Follet’s technical support will also provide security measures to customers who may have suspicious files on their systems. Given the extent of the threat, Follet strongly extends support to ensure that their customers take advantage of the patch.

Ransomware has gone a long way from just issuing empty threats—with its ability to hijack files and render systems useless and the use of extortion methods as a means of scaring victims to pay up. Last month, SAMSAM, via JBoss as well, targeted the healthcare industry by exploiting system vulnerabilities to gain remote shell access. Interestingly, SAMSAM was notable due to its ability to spread via unpatched servers, unlike traditional ransomware which relies on social engineering techniques or malvertising. This time around, attackers found another sector to target—schools. Schools make for an ideal target not only because of the information they store, but because schools are more likely to have outdated IT security systems due to years of underfunding.

[READ: The rapid growth of ransomware]