Recently a large scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat. Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This lead us to approximately 3.2 million at-risk machines.
As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found approximately 2,000 machines with a backdoor already installed. Over the last few days, Talos has been in the process of notifying affected parties including: schools, governments, aviation companies, and more. Several of these systems had one specific software solution in common. Read the full post for details, advisories, and recommended remediation.