More than three million servers across the world are on the verge of being injected with SamSam ransomware. Ransomware is an attack in which a hacker locks the system and threatens users to clean its data if not paid a ransom. The ransomware menace grew in 2015 and has become a major cyber threat as 2016 came by. Hackers’ new approach of targeting servers rather than individual systems seems more devastating for users.
Out of these three million servers, 2,100 servers have been already injected with webshells. A webshell is a code which runs on the server and offers an attacker to control the functions of the server remotely.
Ransomware attack on Follett’s Destiny Server:-
Talos is an elite security intelligence group owned by Cisco. It revealed that the reason behind the hijacking of servers is out-of-date versions of Red Hat’s JBoss enterprise application. It generated a warning stating that the discovered vulnerabilities in the servers were the consequence of the backdoors. A backdoor is a method to escape the security check in a system to gain unauthorized access to it.
The compromised servers are linked to nearly 1,600 different IP addresses. These IP addresses are allocated to schools, governments, and aviation companies. Talos further reported that the affected servers were installed with software, called “Destiny” which is produced by Follett Learning. Destiny is library management software to keep a record of Kindergarten to 12th-grade schools’ books and other belongings across the globe.
Follett on addressing the issue reported that their technical support team will reach to customers having suspicious file content on their system as soon as possible. It added that it considers data security as a critical issue. It will immediately take action and enhance technology to minimize the risk.
Recommendations to Prevent Ransomware Attack:-
It is recommended to remove external access to the server if the server is found injected with webshell. This will prevent the attacker from the unauthorized access against ransomware attack. Alternatively, users can reimage the system and install updated versions of the software. Reimage is a process to remove all software on a computer and reinstalling everything.
Backing up all the data before the attack and using reputable anti-virus software is an evergreen method to protect from Ransomware.