First medtech, now schools are the targets for SamSam ransomware. What do you need to do to protect your organization?

Schools are a logical target for attack by online extortionists. Not only do they store lots of juicy information, but decades of underfunding have left them with poor IT systems that are riddled with holes.

— The Register

According to The Register, schools and school systems are fast becoming the new hot target for SamSam, the ransomware that preys on unpatched vulnerabilities in the JBoss platform.  According to the article, the Follett Learning’s Destiny library management software in use at schools across the US requires an older (vulnerable) build of JBoss and, as a result, is vulnerable.  A few good points about how SamSam is spreading and some simple steps that can be used to protect yourself from this and similar attacks as well as what to do if you are or believe you may already be infected.

Prevention

  • Inventory – Having an up-to-date list of what you have and what it’s doing is critical (how can you keep everything up-to-date if you don’t know it’s there).  This list should include not only the hardware and software but also things like portscans (which should support the software inventory).  Finding a long-forgotten device on a network (think test virtual machine, IoT device, managed switch, impromptu access point, printer, etc.) is a goldmine for an attacker.  A small oversight like a smart or managed switch with default credentials that supports port mirroring could get abused quick.
  • Patch & Update – Perhaps the easiest and most effective way to thwart most attacks is to install the updates that the manufacturers provide.  This includes operating system, applications, firmware, antivirus, etc.  These updates address specific, known vulnerabilities known to the manufacturer and, as soon as the updates are released, to the attackers.  If the manufacturer stops releasing updates, that’s a huge motivator to find a new product (or manufacturer).  As long as the scope permits, a scan for known vulnerabilities happens very early on in any engagement.  If there’s a known vulnerability, that’s a usually quick and easy way in.
  • Monitor – Once you know what you have and what it’s doing and you’ve got a good patch management process in place, study your log data to establish a baseline and then review your logs regularly to detect deviations from that baseline.  Aggregating log data from servers, appliances, IDS / IPS and anything else that will do it into something like Splunk (if you are a small to medium business, Splunk Light is free for up to 500MB per day) or LogRythm will also give a good, high-level view with the ability to drill down as things deviate form the norm.
  • Test – Periodically test your plan.  Depending on the size and needs of the organization this could be done by internal IT staff or outsourced to an organization [like Piratica] that specializes in this type of testing.  An excellent resource for getting familiar with the process is the Penetration Testing Execution Standard.

Remediation

  • Isolate the affected system.  Whether it’s ransomware or an attacker looking to pivot, get the compromised host off of the network (and keep it off).  If there is data on the compromised host that can’t be restored from (a known good) backup, recover the data from the compromised host, scrutinize it and restore it to a replacement host that’s fully patched, up-to-date and protected.

Misc / Erratta

  • http://www.theregister.co.uk/2016/04/19/samsam_ransomware_in_hospitals_schools/
  • http://www.splunk.com/en_us/products/splunk-light.html
  • http://www.pentest-standard.org/index.php/Main_Page

Leave a Reply