Samas RansomWorm, a ransomware variant is infiltrating unsuspecting machines, gaining its name from its unusual propagation characteristics. Whereas traditional ransomware only encrypts the machine the attacker is controlling, RansomWorm propagates inside throughout the entire network to encrypt every server and computer—and the backups.
According to research from Javelin Networks, it executes what it calls the “Worm Triangle.”
“After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: Steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally,” the firm explained, in a blog. “This process is the ‘worm’, and it spreads itself throughout the entire network.”
Generally, the attackers exploit front-facing servers for a known vulnerability, and once the machine is compromised, he or she steals domain admin credentials, making it possible to act as a legitimate user on the network. Because of the admin-level privileges, these domain credentials grant the attacker full access to any computer inside the domain, laying their files wide open for encryption via AD.
“Think of it as a master key that can unlock any computer,” Javelin researchers said. “Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down…With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.”