{"id":82528,"date":"2018-04-24T09:54:28","date_gmt":"2018-04-24T16:54:28","guid":{"rendered":"https:\/\/www.backblaze.com\/blog\/?p=82528"},"modified":"2025-07-23T06:52:17","modified_gmt":"2025-07-23T13:52:17","slug":"ransomware-update-viruses-targeting-business-it-servers","status":"publish","type":"post","link":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/","title":{"rendered":"Ransomware Update: Viruses Targeting Business IT Servers"},"content":{"rendered":"

\"Ransomware<\/p>\n

As ransomware attacks have grown in number in recent months, the tactics and attack vectors also have evolved. While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we’re increasingly seeing attacks that target weaknesses in businesses’ IT infrastructure.<\/p>\n

How Ransomware Attacks Typically Work<\/h2>\n

In our previous posts on ransomware<\/a>, we described the common vehicles used by hackers to infect organizations with ransomware viruses. Most often, downloaders distribute trojan horses through malicious downloads and spam emails. The emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants. Once a user\u2019s computer is infected with a malicious downloader, it will retrieve additional malware, which frequently includes crypto-ransomware. After the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files.<\/p>\n

What\u2019s Changed With the Latest Ransomware Attacks?<\/h3>\n

In 2016, a customized ransomware strain called SamSam<\/a> began attacking the servers in primarily health care institutions. SamSam, unlike more conventional ransomware, is not delivered through downloads or phishing emails. Instead, the attackers behind SamSam use tools to identify unpatched servers running Red Hat\u2019s JBoss enterprise products. Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom. Gaining entry to an organization through its IT center rather than its endpoints makes this approach scalable and especially unsettling. <\/p>\n

SamSam’s methodology is to scour the Internet searching for accessible and vulnerable JBoss application servers, especially ones used by hospitals. It’s not unlike a burglar rattling doorknobs in a neighborhood to find unlocked homes. When SamSam finds an unlocked home (unpatched server), the software infiltrates the system. It is then free to spread across the company\u2019s network by stealing passwords. As it transverses the network and systems, it encrypts files, preventing access until the victims pay the hackers a ransom, typically between $10,000 and $15,000. The low ransom amount has encouraged some victimized organizations to pay the ransom rather than incur the downtime required to wipe and reinitialize their IT systems.<\/p>\n

The success of SamSam is due to its effectiveness rather than its sophistication. SamSam can enter and transverse a network without human intervention. Some organizations are learning too late that securing internet-facing services in their data center from attack is just as important as securing endpoints.<\/p>\n

The typical steps in a SamSam ransomware attack are:<\/p>\n

\n\n\n\n\n\n\n\n\n\n
1<\/span>
\nAttackers gain access to vulnerable server<\/b><\/td>\n		<\/td>\nAttackers exploit vulnerable software or weak\/stolen credentials.<\/td>\n<\/tr>\n
\"\"<\/td>\n<\/td>\n<\/tr>\n
2<\/span>
\nAttack spreads via remote access tools<\/b><\/td>\n		<\/td>\nAttackers harvest credentials, create SOCKS proxies to tunnel traffic, and abuse RDP to install SamSam on more computers in the network.<\/td>\n<\/tr>\n
\"\"<\/td>\n<\/td>\n<\/tr>\n
3<\/span>
\nRansomware payload deployed<\/b><\/td>\n		<\/td>\nAttackers run batch scripts to execute ransomware on compromised machines.<\/td>\n<\/tr>\n
\"\"<\/td>\n<\/td>\n<\/tr>\n
4<\/span>
\nRansomware demand delivered requiring payment to decrypt files<\/b><\/td>\n		<\/td>\nDemand amounts vary from victim to victim. Relatively low ransom amounts appear to be designed to encourage quick payment decisions.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

What all the organizations successfully exploited by SamSam have in common is that they were running unpatched servers that made them vulnerable to SamSam. Some organizations had their endpoints and servers backed up, while others did not. Some of the victims chose to pay the ransom — a strategy that in the past hasn’t guaranteed that the hackers will decrypt the hijacked files.<\/p>\n

Timeline of SamSam History and Exploits<\/h3>\n

Since its appearance in 2016, SamSam has been in the news with many successful incursions into healthcare, business, and government institutions.<\/p>\n

\n
\n
\n
\n
March 2016<\/span>
SamSam appears<\/span><\/h5>\n

SamSam campaign targets vulnerable JBoss servers<\/strong>
\nAttackers hone in on healthcare organizations specifically, as they\u2019re more likely to have unpatched JBoss machines.<\/p>\n<\/div>\n<\/div>\n

\n
\n
April 2016<\/span>
SamSam finds new targets<\/span><\/h5>\n

SamSam begins targeting schools and government.<\/strong>
\nAfter initial success targeting healthcare, attackers branch out to other sectors.<\/p>\n<\/div>\n<\/div>\n

\n
\n
April 2017<\/span>
New tactics include RDP<\/span><\/h5>\n

Attackers shift to targeting organizations with exposed RDP connections, and maintain focus on healthcare.<\/strong>
\nAn attack on Erie County Medical Center costs the hospital $10 million over three months of recovery.
\n\"Erie<\/a>\n<\/div>\n<\/div>\n

\n
\n
January 2018<\/span>
Municipalities attacked<\/span><\/h5>\n

\u2022 Attack on Municipality of Farmington, NM.
\n\u2022 Attack on Hancock Health.
\n\"Hancock<\/a>
\n\u2022 Attack on Adams Memorial Hospital
\n\u2022 Attack on Allscripts (Electronic Health Records), which includes 180,000 physicians, 2,500 hospitals, and 7.2 million patients’ health records.<\/p>\n<\/div>\n<\/div>\n

\n
\n
February 2018<\/span>
Attack volume increases<\/span><\/h5>\n

\u2022 Attack on Davidson County, NC.
\n\u2022 Attack on Colorado Department of Transportation.
\n\"SamSam<\/a>\n<\/div>\n<\/div>\n

\n
\n
March 2018<\/span>
SamSam shuts down Atlanta<\/span><\/h5>\n

\u2022 Second attack on Colorado Department of Transportation.
\n\u2022 City of Atlanta suffers a devastating attack by SamSam.
\nThe attack has far-reaching impacts — crippling the court system, keeping residents from paying their water bills, limiting vital communications like sewer infrastructure requests, and pushing the Atlanta Police Department to file paper reports.
\n\"Atlanta<\/a>
\n\u2022 SamSam campaign nets $325,000 in 4 weeks.
\nInfections spike as attackers launch new campaigns. Healthcare and government organizations are once again the primary targets.<\/div>\n<\/div>\n<\/div>\n<\/div>\n

How to Defend Against SamSam and Other Ransomware Attacks<\/h2>\n

The best way to respond to a ransomware attack is to avoid having one in the first place. If you are attacked, making sure your valuable data is backed up and unreachable by ransomware infection will ensure that your downtime and data loss will be minimal or none if you ever suffer an attack.<\/p>\n

In our previous post, How to Recover From Ransomware<\/a>, we listed the ten ways to protect your organization from ransomware.<\/p>\n

    \n
  1. Use anti-virus and anti-malware software or other security policies to block known payloads from launching.<\/li>\n
  2. Make frequent, comprehensive backups of all important files and isolate them from local and open networks. Cybersecurity professionals view data backup and recovery (74% in a recent survey) by far as the most effective solution to respond to a successful ransomware attack.<\/li>\n
  3. Keep offline backups of data stored in locations inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents them from being accessed by the ransomware.<\/li>\n
  4. Install the latest security updates issued by software vendors of your OS and applications. Remember to patch early and patch often to close known vulnerabilities in operating systems, server software, browsers, and web plugins.<\/li>\n
  5. Consider deploying security software to protect endpoints, email servers, and network systems from infection.<\/li>\n
  6. Exercise cyber hygiene, such as using caution when opening email attachments and links.<\/li>\n
  7. Segment your networks to keep critical computers isolated and to prevent the spread of malware in case of attack. Turn off unneeded network shares.<\/li>\n
  8. Turn off admin rights for users who don\u2019t require them. Give users the lowest system permissions they need to do their work.<\/li>\n
  9. Restrict write permissions on file servers as much as possible.<\/li>\n
  10. Educate yourself, your employees, and your family in best practices to keep malware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors.<\/li>\n<\/ol>\n

    Please Tell Us About Your Experiences with Ransomware<\/h3>\n

    Have you endured a ransomware attack or have a strategy to avoid becoming a victim? Please tell us of your experiences in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"

    As ransomware attacks have grown in number in recent months, the tactics and attack vectors also have evolved. While the primary method of attack used to be to target individual computer users within organizations, we’re increasingly seeing attacks that target weaknesses in businesses’ IT infrastructure.<\/p>\n","protected":false},"author":133,"featured_media":82529,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[475],"tags":[471,351],"class_list":["post-82528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-businessbackup","tag-ransomware","entry"],"acf":[],"yoast_head":"\nRansomware News: SamSam Moves Beyond Email to Attack Servers<\/title>\n<meta name=\"description\" content=\"While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we're increasingly seeing attacks that target weaknesses in businesses' IT infrastructure.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware News: SamSam Moves Beyond Email to Attack Servers\" \/>\n<meta property=\"og:description\" content=\"While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we're increasingly seeing attacks that target weaknesses in businesses' IT infrastructure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/\" \/>\n<meta property=\"og:site_name\" content=\"Backblaze Blog | Cloud Storage & Cloud Backup\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/backblaze\" \/>\n<meta property=\"article:published_time\" content=\"2018-04-24T16:54:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-23T13:52:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"820\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Roderick Bauer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@rodbauer\" \/>\n<meta name=\"twitter:site\" content=\"@backblaze\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Roderick Bauer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware News: SamSam Moves Beyond Email to Attack Servers","description":"While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we're increasingly seeing attacks that target weaknesses in businesses' IT infrastructure.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Ransomware News: SamSam Moves Beyond Email to Attack Servers","og_description":"While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we're increasingly seeing attacks that target weaknesses in businesses' IT infrastructure.","og_url":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/","og_site_name":"Backblaze Blog | Cloud Storage & Cloud Backup","article_publisher":"https:\/\/www.facebook.com\/backblaze","article_published_time":"2018-04-24T16:54:28+00:00","article_modified_time":"2025-07-23T13:52:17+00:00","og_image":[{"width":1440,"height":820,"url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","type":"image\/jpeg"}],"author":"Roderick Bauer","twitter_card":"summary_large_image","twitter_creator":"@rodbauer","twitter_site":"@backblaze","twitter_misc":{"Written by":"Roderick Bauer","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#article","isPartOf":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/"},"author":{"name":"Roderick Bauer","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/ab76c78d649d9b862757dfa400d3cb8d"},"headline":"Ransomware Update: Viruses Targeting Business IT Servers","datePublished":"2018-04-24T16:54:28+00:00","dateModified":"2025-07-23T13:52:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/"},"wordCount":1183,"commentCount":0,"publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","keywords":["BusinessBackup","Ransomware"],"articleSection":["Ransomware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/","url":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/","name":"Ransomware News: SamSam Moves Beyond Email to Attack Servers","isPartOf":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#primaryimage"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","datePublished":"2018-04-24T16:54:28+00:00","dateModified":"2025-07-23T13:52:17+00:00","description":"While the primary method of attack used to be to target individual computer users within organizations with phishing emails and infected attachments, we're increasingly seeing attacks that target weaknesses in businesses' IT infrastructure.","breadcrumb":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#primaryimage","url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","contentUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","width":1440,"height":820},{"@type":"BreadcrumbList","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-update-viruses-targeting-business-it-servers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Ransomware Update: Viruses Targeting Business IT Servers"}]},{"@type":"WebSite","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","name":"Backblaze Cloud Solutions Blog","description":"Cloud Storage & Cloud Backup","publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization","name":"Backblaze","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","width":512,"height":512,"caption":"Backblaze"},"image":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/backblaze","https:\/\/x.com\/backblaze","https:\/\/www.youtube.com\/user\/Backblaze","https:\/\/en.wikipedia.org\/wiki\/Backblaze"]},{"@type":"Person","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/ab76c78d649d9b862757dfa400d3cb8d","name":"Roderick Bauer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d0f9ff246abfe724e25d1c41983affb76e691cd3577d8b4d0d7607ee3ab6cbe2?s=96&d=blank&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d0f9ff246abfe724e25d1c41983affb76e691cd3577d8b4d0d7607ee3ab6cbe2?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0f9ff246abfe724e25d1c41983affb76e691cd3577d8b4d0d7607ee3ab6cbe2?s=96&d=blank&r=g","caption":"Roderick Bauer"},"description":"Roderick has held marketing, engineering, and product management positions with Adobe, Microsoft, Autodesk, and several startups. He's consulted to Apple, Microsoft, Hewlett-Packard, Stanford University, Dell, the Pentagon, and the White House. He was a Ford-Mozilla Fellow in Media and Democracy with Common Cause in Washington, D.C., where he advocated for a free, open, and accessible internet for all, reducing media consolidation, and transparency in politics and the media.","sameAs":["https:\/\/x.com\/rodbauer"],"url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/author\/roderick\/"}]}},"jetpack_featured_media_url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2018\/04\/samsam-ransomware.jpg","_links":{"self":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/82528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/comments?post=82528"}],"version-history":[{"count":0,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/82528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media\/82529"}],"wp:attachment":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media?parent=82528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/categories?post=82528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/tags?post=82528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}