For more than a month , at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors , DDoS bots , cryptocurrency miners , or ransomware , depending if the machine is running Linux or Windows . For their attacks , the groups are using a zero-day in Apache Struts , disclosed Vulnerability-related.DiscoverVulnerability and immediately fixed Vulnerability-related.PatchVulnerability last month by Apache . The vulnerability , CVE-2017-5638 , allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component , deployed in some Struts installations . Attackers initially focused on Linux server . According to cyber-security firms F5 , attacks started as soon as Cisco Talos researchers revealed Vulnerability-related.DiscoverVulnerability the zero-day 's presence and several proof-of-concept exploits were published Vulnerability-related.DiscoverVulnerability online . Since early March , attacks have slowly evolved . F5 experts say that in the beginning , attackers targeted Struts instances running on Linux servers , where they would end up installing the PowerBot malware , an IRC-controlled DDoS bot also known as PerlBot or Shellbot . In later attacks , some groups switched to installing a cryptocurrency miner called `` minerd '' that mined for the Monero cryptocurrency . In other attacks reported by the SANS Technology Institute , some attackers installed Perl backdoors . Recent attacks also targeted Struts running on Windows Both SANS and F5 experts report that after March 20 , one of these groups switched to targeting Struts instances installed on Windows systems . Using a slightly modified exploit code , attackers executed various shell commands to run the BITSAdmin utility and then downloaded ( via Windows ' built-in FTP support ) the Cerber ransomware . From this point on , Cerber took over , encrypted files , and displayed its standard ransom note , leaving victims no choice but pay the ransom demand Attack.Ransom or recover data from backups . `` The attackers running this [ Cerber ] campaign are using the same Bitcoin ID for a number of campaigns , '' the F5 team said . `` This particular account has processed 84 bitcoins [ ~ $ 100,000 ] . '' F5 experts also noted that , on average , roughly 2.2 Bitcoin ( ~ $ 2,600 ) go in and out of this particular wallet on a daily basis . The most recent payments dates to today . It is worth mentioning that F5 published their findings last week , on March 29 . Today , SANS detailed similar findings , meaning the campaign spreading Cerber ransomware via Struts on Windows is still going strong . A patch for Apache Struts servers is available Vulnerability-related.PatchVulnerability on the Struts website . Struts is an open source MVC framework for creating modern Java web applications , and its widely used in enterprise environments , for both Intranets and public websites . Some of the initial attacks on Struts-based applications have been tracked by cyber-security firm AlienVault .

An Indiana hospital paid a ransom Attack.Ransom of $ 55,000 to get rid of ransomware that had infected its systems and was hindering operations last week . The infection took root last week , on Thursday , January 11 , when attackers breached the network of Hancock Health , a regional hospital in the city of Greenfield , Indiana . Attackers deployed the SamSam ransomware , which encrypted files and renamed them with the phrase `` I ’ m sorry '' , according to a local newspaper who broke the news last week . Hospital operations were affected right away . IT staff intervened and took down the entire network , asking employees to shut down all computers to avoid the ransomware from spreading to other PCs . By Friday , the next day , the hospital was littered with posters asking employees to shut down any computer until the incident was resolved . While some news sites reported that the hospital shut down operations , medical and management staff continued their work , but with pen and paper instead of computers . Patients continued to receive care at the hospital 's premise . Hospital had backups but decides to pay ransom demand Attack.Ransom . The hospital said that despite having backups it opted to pay the ransom demand Attack.Ransom of 4 Bitcoin , which was worth around $ 55,000 at the time the hospital paid Attack.Ransom the sum , on Saturday morning . Hospital management told local press that restoring from backups was not a solution as it would have taken days and maybe even weeks to have all systems up and running . Hence , they decided paying the ransom Attack.Ransom was quicker . By Monday , all systems were up and running , and the hospital released a short statement on its site admitting to the incident , but with very few other details . While the hospital has not confirmed the typical SamSam attack scenario , they did say the infection was not the case of an employee opening a malware-infected email . The FBI has long asked companies and individuals affected by ransomware to report any infections via the IC3 portal so the Bureau can get a better grasp of the threat and have the legal reasons to go after such groups .

Federal officials , Microsoft and Cisco are working with the city of Atlanta to resolve the attack Attack.Ransom , but Atlanta 's mayor wo n't say if the city paid Attack.Ransom the $ 51,000 ransom Attack.Ransom . As of Saturday , Atlanta officials and federal partners were still “ working around the clock ” to resolve the ransomware attack Attack.Ransom on city computers that occurred around 5 a.m. on Thursday , March 22 , and encrypted some financial and person data . As @ Cityofatlanta officials & federal partners continue working around the clock to resolve issues related to the ransomware cyber attack Attack.Ransom launched against the City , solid waste & other DPW operations are not impacted . — ATLPublicWorks ( @ ATLPublicWorks ) March 24 , 2018 On Thursday , the official investigation included “ the FBI , U.S. Department of Homeland Security , Cisco cybersecurity officials and Microsoft to determine what information has been accessed Attack.Databreach and how to resolve the situation. ” A city employee sent WXIA a screenshot of the ransom demand Attack.Ransom , which included a pay-per-computer option Attack.Ransom of $ 6,800 or an option to pay Attack.Ransom $ 51,000 to unlock the entire system . CBS 46 reported that the ransom demand Attack.Ransom and instruction said : Send .8 bitcoins for each computer or 6 bitcoins for all of the computers . ( That 's the equivalent of around $ 51,000 . ) After the .8 bitcoin is sent , leave a comment on their website with the provided host name . They ’ ll then reply to the comment with a decryption software . When you run that , all of the encrypted files will be recovered . On Friday , March 23 , city employees were handed a printed notice as they walked through the front doors . They were told not to turn on their computers until the issue was resolved . Officials were still unsure who was behind the attack . Mayor Keisha Lance Bottoms advised city employees and customers to monitor their personal information , although there was no evidence to show customer or employee data was compromised Attack.Databreach . Mayor Bottoms clarified what services had not been impacted and were still available to residents and which ones had been impacted . Mayor Bottoms will not say if Atlanta intends to pay the ransom demand Attack.Ransom , saying , “ We will be looking for guidance from , specifically , our federal partners on how to best navigate the best course of action. ” During a press conference , Bottoms said , “ What we want to make sure of is that we aren ’ t putting a Band-Aid on a gaping wound. ” She then turned the press conference over to Richard Cox , the City of Atlanta 's chief operations officer ; the poor dude is brand new to serving as Atlanta ’ s COO . He confirmed the existence of the ransom demand Attack.Ransom but would not reveal the contents .

For their attacks , the groups are using a zero-day in Apache Struts , disclosed Vulnerability-related.DiscoverVulnerability and immediately fixed Vulnerability-related.PatchVulnerability last month by Apache . The vulnerability , CVE-2017-5638 , allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component , deployed in some Struts installations . According to cyber-security firms F5 , attacks started as soon as Cisco Talos researchers revealed Vulnerability-related.DiscoverVulnerability the zero-day 's presence and several proof-of-concept exploits were published online Vulnerability-related.DiscoverVulnerability . F5 experts say Vulnerability-related.DiscoverVulnerability that in the beginning , attackers targeted Struts instances running on Linux servers , where they would end up installing the PowerBot malware , an IRC-controlled DDoS bot also known as PerlBot or Shellbot . In later attacks , some groups switched to installing a cryptocurrency miner called `` minerd '' that mined for the Monero cryptocurrency . In other attacks reported by the SANS Technology Institute , some attackers installed Perl backdoors . Both SANS and F5 experts report that after March 20 , one of these groups switched to targeting Struts instances installed on Windows systems . Using a slightly modified exploit code , attackers executed various shell commands to run the BITSAdmin utility and then downloaded ( via Windows ' built-in FTP support ) the Cerber ransomware . From this point on , Cerber took over , encrypted files , and displayed its standard ransom note , leaving victims no choice but pay the ransom demand Attack.Ransom or recover data from backups . `` The attackers running this [ Cerber ] campaign are using the same Bitcoin ID for a number of campaigns , '' the F5 team said . `` This particular account has processed 84 bitcoins [ ~ $ 100,000 ] . '' F5 experts also noted that , on average , roughly 2.2 Bitcoin ( ~ $ 2,600 ) go in and out of this particular wallet on a daily basis . It is worth mentioning that F5 published their findings last week , on March 29 . Today , SANS detailed similar findings , meaning the campaign spreading Cerber ransomware via Struts on Windows is still going strong . Some of the initial attacks on Struts-based applications have been tracked by cyber-security firm AlienVault

No one likes to have their company hacked . No one is going to be happy if hackers manage to break into systems and steal Attack.Databreach away their intellectual property . In the case of companies like Disney , having a $ 230 million blockbuster like the latest Pirates of the Caribbean movie stolen Attack.Databreach could prove to be very costly if hackers follow through with their threats to seed their pirated copy of the film on torrent sites , disrupting its official release . But imagine how much more galling it would be to give in to the hackers ’ blackmail Attack.Ransom threats and pay a ransom Attack.Ransom for the movie not to be leaked online , only to discover later that the extortionists never had a copy of the film in the first place ? Earlier this month it was widely reported that Walt Disney ’ s CEO Bob Iger had been contacted by hackers who were threatening to release one of the studio ’ s movies onto the internet unless a ransom was paid Attack.Ransom . Iger didn ’ t say what movie the hackers claimed to have stolen Attack.Databreach , but it was widely thought to be the soon to be released “ Pirates of the Caribbean : Dead Men Tell No Tales. ” That theory of the hacked movie ’ s identity certainly gained more momentum when it was reported that torrents had been spotted on Pirate Bay claiming to be the blockbuster starring Johnny Depp , Javier Bardem and Geoffrey Rush . However , none of those downloadable torrents were confirmed to contain the “ Pirates of the Caribbean ” movie . And in a video interview with Yahoo Finance , Disney ’ s CEO debunked claims that a movie had ever been stolen Attack.Databreach : “ To our knowledge we were not hacked . We had a threat of a hack Attack.Databreach of a movie being stolen Attack.Databreach . We decided to take it seriously but not react in the manner in which the person who was threatening us had required . We don ’ t believe that it was real and nothing has happened. ” In short , Disney says that it was not accurate that a movie was ever stolen Attack.Databreach , and it refused to pay the ransom demand Attack.Ransom to the extortionists . And that , in itself , may be a lesson for other companies to keep a cool head when they receive an extortion demand Attack.Ransom claiming that intellectual property or sensitive data has been stolen Attack.Databreach by hackers . Obviously all threats should be taken seriously , and you should explore appropriately whether it is possible a security breach has genuinely occurred , review the security of your systems , and inform law enforcement agencies as appropriate . But don ’ t be too quick to pay Attack.Ransom the criminals who are making threats against you . If you can , seek evidence that the hackers have what they claim to have , rather than reaching first for your wallets . It ’ s perfectly possible that some extortionists are simply jumping on the bandwagon of high profile hacks in an attempt to trick you into believing your company is the latest victim . Keep a cool head when your company receives a threat , or else you might find yourself in deep water , swimming with the hungry fishes .