March 09, 2017
How is Samas RansomWorm different from normal ransomware?
Whereas traditional ransomware only encrypts the machine the attacker is controlling, RansomWorm spreads inside throughout the entire network to encrypt every server and computer—and the backups.
But how does this work? After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally. This process is the “worm”, and it spreads itself throughout the entire network. We call it the “Worm Triangle”:
Figure 1: Worm Triangle
Domain Credential Theft
There are many infection vectors an attacker can choose to establish a foothold inside the victim’s environment. In this particular case, he chooses to exploit front-facing servers for a known vulnerability (CVE-2010-0738). Once the attacker is inside the network and has compromised a machine, he uses Mimikatz/Bladabindi/Derusbi to steal domain admin credentials. So now that he’s got the credentials, he can act as a legitimate user on the network.
Active Directory Reconnaissance
Next, he needs to identify the targets so he can encrypt them. The stealthiest and most efficient way to do this is to query the Active Directory. Why? Because it stores all the corporation’s information. It’s a database that stores all users, endpoints, applications, and servers. Sound like a gold mine? An attacker’s dream come true? Well, you’re right. It is a dream come true. All he has to do is say “abracadabra”, and the information appears.
There’s no magic here, but it’s not that far off. Just replace “abracadabra” with “Windows Utility – CSVDE” and—voila!—all of the endpoints appear. Using only one command, the attacker obtained this information with no risk of detection. Now he has to verify which ones are alive using the PING command.
He acquired domain admin credentials and identified his target endpoints via the Active Directory. So he is ready to infect. Let me reiterate here that these domain credentials grant him full access to ANY computer inside the domain. Think of it as a master key that can unlock any computer.
To infect the endpoints, he installs the module using another Windows Utility: PSEXEC. He can do this because it is a legitimate, built-in command that IT managers use to control and run commands on Windows OS remotely.
Now the worm comes in: Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down. This has dramatic consequences depending on the industry. For example:
Retail – all POS systems shut down, how can the company sell anything?
Hospital – computers and databases shut down, how can they retrieve patient data?
The group behind Samas was able to rack up $450,000 in just one year using this methodology, primarily targeting healthcare organizations. You can see the geographical distribution of the infections in the figure below (US is the main target):
Figure 2: A majority of Samas infections are detected in the US
And that’s the Samas RansomWorm. With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.
Wow. What a stealthy crime.
This is why Active Directory reconnaissance is so powerful and effective—an attacker can query the AD to learn everything about the environment.
Here’s the hidden truth: every threat group knows the Active Directory is the most vulnerable—and valuable—asset in the organization. This is why EVERY APT bases its campaign on AD manipulation.
That means every corporation with Active Directory is exposed to these attacks. And there’s not a single solution in the world that stops this manipulation.