US Indicts Two Iranians for SamSam Campaign Blitz

Written by

Two Iranian men have been indicted for a string of ransomware attacks over the past three years, causing $30m in losses to over 200 organizations, mainly in the US.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are accused of operating the infamous SamSam ransomware variant which targeted notable organizations including the Hollywood Presbyterian Medical Center, City of Atlanta, MedStar Health, Kansas Heart Hospital and the City of Newark.

The two are said to have made over $6m from their scheme to date, creating the first version of the malware in December 2015 before updating it in June and October 2017.

The attacks differed from many ransomware campaigns in being highly targeted, with the duo researching their victims, scanning for vulnerabilities and then striking outside of business hours to cause maximum disruption, all while disguising attacks as legitimate network traffic.

The two are charged with: one count of conspiracy to commit wire fraud; one count of conspiracy to commit fraud and related activity in connection with computers; two substantive counts of intentional damage to a protected computer; and two substantive counts of transmitting a demand in relation to damaging a protected computer.

They’re unlikely to be brought to justice, as the duo remain in Iran. However, the US Treasury has decided to impose sanctions on two more men, Ali Khorashadizadeh and Mohammad Ghorbaniyan, whose accounts are said to have been used to receive the stolen Bitcoin funds.

The move is more a statement of intent than anything else, as the two could simply open new cryptocurrency accounts elsewhere.

FireEye cybercrime analysis manager, Kimberly Goody, claimed the two may have targeted critical infrastructure organizations to improve their chances of receiving a pay-out.

“In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organizations to pay,” she added.

“It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing card payment data, and we have also seen the deployment of cryptocurrency miners in victim environments.”

Sophos principal research scientist, Chester Wisniewski, argued that SamSam may be just the start of a new wave of targeted ransomware.

“Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware,” he continued. “By the time most IT managers notice what’s happening, the damage is done. Other cyber-criminals have taken note, and in 2019 we expect copycat attacks.”

What’s hot on Infosecurity Magazine?