US charges two Iranians for SamSam ransomware attacks
Two men believed to be behind SamSam ransomware campaign are still at large
Prosecutors in the US have charged two Iranians with running a ransomware campaign which cost victims as much as $30m.
The two Iranians have been charged in connection the ‘SamSam' ransomware attacks, which affected schools, hospitals, universities and government organisations in several countries over the course of 34 months.
The attacks shut down a hospital in Hollywood, prevented residents of Atlanta from paying utility bills, and forced police in Atlanta to switch to paper-based reports, the BBC said.
The two accused Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri are believed to be Iran.
Two other Iranian men have also been sanctioned by the US Treasury Department for converting bitcoins paid as ransom into Iranian rials.
"The allegations in the indictment unsealed today - the first of its kind - outline an Iran-based international computer hacking and extortion scheme that engaged in a 21st-Century digital blackmail," said US assistant attorney general Brian Benczkowski on Wednesday.
Security company FireEye commented that it has some evidence that the attackers were involved in other activities beside the SamSam ransomware, but noted that the accused are still at large.
Kimberly Goody, manager, cybercrime analysis at FireEye said: "FireEye has tracked SamSam activity dating back to late 2015, impacting organisations across multiple industry verticals. Notably, the indictment highlights numerous healthcare and government organisations that have been targeted. It is possible that the operators chose to target these organisations since they provide critical services and believed their likelihood of paying was higher as a result.
"One of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors. While indiscriminate targeting is still heavily relied on by other actors likely to bolster operational scalability, there has been an increasing number of threat actors actively engaged in, more ‘targeted' attacks in which ransomware is deployed post-compromise. In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems - putting additional pressure on organizations to pay.
"It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing payment card data, and we have also seen the deployment of cryptocurrency miners in victim environments."