A ransomware variant known as Samas RansomWorm is wreaking havoc on unsuspecting machines, gaining its name from its unusual propagation characteristics. Whereas traditional ransomware only encrypts the machine the attacker is controlling, RansomWorm spreads inside throughout the entire network to encrypt every server and computer—and the backups.
According to research from Javelin Networks, it executes what it calls the “Worm Triangle.”
“After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: Steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally,” the firm explained, in a blog. “This process is the ‘worm’, and it spreads itself throughout the entire network.”
Generally, the attackers exploit front-facing servers for a known vulnerability, and once the machine is compromised, he or she steals domain admin credentials, making it possible to act as a legitimate user on the network. Because of the admin-level privileges, these domain credentials grant the attacker full access to any computer inside the domain, laying their files wide open for encryption via AD.
“Think of it as a master key that can unlock any computer,” Javelin researchers said. “Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down…With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.”
This has dramatic consequences depending on the industry. In a retail environment, a complete POS lockdown will impact sales. Or in a hospital, patient data goes dark.
It’s been a successful gambit: The group behind Samas was able to rack up $450,000 in just one year using this methodology, Javelin said, primarily targeting healthcare organizations.