A new variant of Satan ransomware is spreading via around ten different vulnerabilities in Windows and Linux server platforms.
PUBLISH DATE: 11-DEC-2018
The worm-like variant of Satan ransomware called “Lucky” is capable of spreading on its own, without human interaction. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons. The ransomware is found infecting many systems belonging to the financial sector.
These vulnerabilities are being exploited by Lucky to facilitate its propagation.
In case of successful infection, Lucky encrypts local files adding extension ‘.lucky’ to their names. It then installs a ransom file – “_How_To_Decrypt_My_File_”.
Lucky ransomware attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network to find vulnerable systems to drop its malicious payload.
Most of these vulnerabilities are easy to exploit and affect Java server apps. The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform.
Ransomwares are now attacking Servers more than systems because vulnerable servers are usually left unpatched for longer periods of time as compared to desktop systems. Based on Threat Intelligence data from over 4,000 sources, experts believe that there is a risk of extensive infection in the financial sector by Lucky ransomware.
INDICATORS OF COMPROMISE
If you think you’re a victim of a cyber-attack, immediately send an e-mail to firstname.lastname@example.org.