More than three million internet-facing servers are at risk of hijack by ransomware because they are running out-of-date software.
Cisco-owned Talos Group said in a blog post that they had conducted a search of machines that were already compromised, which showed at least 2,100 servers across 1,600 separate networks, belonging to schools and universities, government departments and aviation companies. were vulnerable to infection.
Malicious actors are using out-of-date versions of Red Hat's JBoss enterprise server, a middleware software that integrates devices, data, and users across different platforms, as the initial point of compromise.
The security research team warned that these servers could be infected by Samsam malware at any moment, a new kind of ransomware that infects through compromised servers and locks up files until a ransom is paid.
Hackers targeting servers is a relatively new kind of attack for ransomware actors, given that a network's most sensitive data rests on the server rather than individual computers. That raises the stakes, and makes it more likely that the ransom will be paid.
Some of the compromised servers belonged to schools running Destiny, a content management system developed used to keep track of books and other items. Follett, which maintains the Destiny software, immediately issued a fix for the flaw, which researchers said it was "imperative" that all users install the patches.
Talos researchers said in their advisory urged administrators to remove external access to the server, but added that ideally reimaging the system and installing patches would be better.