The actors behind Samas, a ransomware family that emerged about a year ago, are using Active Directory to perform reconnaissance and then infect entire networks, Javelin Networks says.

First detailed in March last year, Samas was observed employing publicly-available penetration testing tools for delivery, and its operators were said to have made $450,000 in ransom payments by December 2016.