According to research from Javelin Networks, it executes what it calls the “Worm Triangle.”
“After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: Steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally,” the firm explained, in a blog. “This process is the ‘worm’, and it spreads itself throughout the entire network.”
Generally, the attackers exploit front-facing servers for a known vulnerability, and once the machine is compromised, he or she steals domain admin credentials, making it possible to act as a legitimate user on the network. Because of the admin-level privileges, these domain credentials grant the attacker full access to any computer inside the domain, laying their files wide open for encryption via AD.
“Think of it as a master key that can unlock any computer,” Javelin researchers said. “Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down…With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.”