Samas RansomWorm is a ransomware variant with unusual propagation characteristics, wreaking havoc on unsuspecting machines. Unlike the ordinary ransomware which encrypts the computer controlled by the hacker, RansomWorm spreads inside throughout the whole network, targeting every server and computer alongside all the backups.
A research made by Javelin Networks, states that the Samas RansomWorm executes what it calls the “Worm Triangle.”
“After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: Steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally,” the company explained. “This process is the ‘worm’, and it spreads itself throughout the entire network.”
What hackers actually do is exploiting front-facing servers for a known vulnerability, and as soon as the computer is compromised, they steal the domain admin credentials, making it possible to act as a legitimate user on the network.
Due to the admin-level privileges, the domain credentials grant the hacker a full access to any PC inside the domain, laying their files wide open for encryption through AD.
“Think of it as a master key that can unlock any computer,” the experts from Javelin stated.
“Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down… With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.”
Depending on the industry, the infection has dramatic consequences. For instance, in a retail environment, a complete POS lockdown and sales are impacted. Or in a hospital, where the patient data is lost.
According to Javelin researchers, by using the above-mentioned methodology, the gang behind Samas managed to make $450,000 in just one year, targeting healthcare organizations mostly.
