SamSam ransomware actors charged, sanctioned by US government

The U.S. Departments of Justice and Treasury both announced actions being taken against threat actors based in Iran and involved with the SamSam ransomware attacks.

On Wednesday, the FBI indicted Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri on charges of deploying the SamSam ransomware which was known to be used against 67 organizations in 2018, including the city of Atlanta. The FBI noted that the SamSam ransomware has been used in attacks dating back to 2015, infecting more than 230 entities, earning $6 million in ransom payments and inflicting as much as $30 million in damages to its victims.

The investigation was a collaborative effort between the FBI, the U.K.'s National Crime Agency and West Yorkshire Police, and Canada's Calgary Police Service and Royal Canadian Mounted Police.

The indictment charged the two men with "one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer."

SamSam ransomware attacks have been highly successful, especially in terms of ransom paid, in part because the attackers carried them out in a more methodical fashion than many other ransomware attackers. Unlike other ransomware -- which is often designed to spread quickly and infect as many systems as possible in hopes of getting many smaller ransom payments -- SamSam was much more targeted, as Christopher Glyer, chief security architect at FireEye, described on Twitter earlier this year.

"[The] threat actor targets an org, moves laterally, escalates [privileges] to domain admin, deletes backup tapes -- and then deploys the ransomware to all systems at once," Glyer wrote. "This isn't an automated worm that spread once landing on a single system. A targeted threat actor and ransomware is an incredibly effective combination -- especially if they've deleted your backups."

In my experience - the threat actor behind SamSam Is responsible for majority of the severely disruptive ransomware attacks that make the news (outside of wannacry/NotPetya worms...etc)

— Christopher Glyer (@cglyer) March 28, 2018

Martijn Grooten, security researcher and editor for Virus Bulletin, described SamSam ransomware as "one of the most successful ransomware campaigns in recent years, thanks to the clever targeting of specific organizations, including universities, hospitals and local governments."

"This targeting allowed the attackers to ensure the targeted organization really couldn't recover the files without the private key, enabled them to create a very smooth 'support' process for those victims that did pay, and to make very large ransom demands," Grooten wrote in a blog post. "It is unclear whether in the current political climate (and given the fact they do not appear to have targeted Iranian organizations) the alleged SamSam authors will face justice, or even whether their indictment will bring an end to their activities. But it does serve as a reminder that even attackers with good OPSEC, such as those behind SamSam, have a very hard time staying hidden."