SamSam ransomware actors charged, sanctioned by US government

The FBI indicted two threat actors involved with the SamSam ransomware attacks while the US Treasury sanctioned two others for their role in exchanging Bitcoin earned from attacks.

The U.S. Departments of Justice and Treasury both announced actions being taken against threat actors based in Iran and involved with the SamSam ransomware attacks.

On Wednesday, the FBI indicted Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri on charges of deploying the SamSam ransomware which was known to be used against 67 organizations in 2018, including the city of Atlanta. The FBI noted that the SamSam ransomware has been used in attacks dating back to 2015, infecting more than 230 entities, earning $6 million in ransom payments and inflicting as much as $30 million in damages to its victims.

The investigation was a collaborative effort between the FBI, the U.K.'s National Crime Agency and West Yorkshire Police, and Canada's Calgary Police Service and Royal Canadian Mounted Police.

The indictment charged the two men with "one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer."

SamSam ransomware attacks have been highly successful, especially in terms of ransom paid, in part because the attackers carried them out in a more methodical fashion than many other ransomware attackers. Unlike other ransomware -- which is often designed to spread quickly and infect as many systems as possible in hopes of getting many smaller ransom payments -- SamSam was much more targeted, as Christopher Glyer, chief security architect at FireEye, described on Twitter earlier this year.

"[The] threat actor targets an org, moves laterally, escalates [privileges] to domain admin, deletes backup tapes -- and then deploys the ransomware to all systems at once," Glyer wrote. "This isn't an automated worm that spread once landing on a single system. A targeted threat actor and ransomware is an incredibly effective combination -- especially if they've deleted your backups."

Martijn Grooten, security researcher and editor for Virus Bulletin, described SamSam ransomware as "one of the most successful ransomware campaigns in recent years, thanks to the clever targeting of specific organizations, including universities, hospitals and local governments."

"This targeting allowed the attackers to ensure the targeted organization really couldn't recover the files without the private key, enabled them to create a very smooth 'support' process for those victims that did pay, and to make very large ransom demands," Grooten wrote in a blog post. "It is unclear whether in the current political climate (and given the fact they do not appear to have targeted Iranian organizations) the alleged SamSam authors will face justice, or even whether their indictment will bring an end to their activities. But it does serve as a reminder that even attackers with good OPSEC, such as those behind SamSam, have a very hard time staying hidden."

Additional actions

Also on Wednesday, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) designated two other Iran-based individuals -- Ali Khorashadizadeh and Mohammad Ghorbaniyan -- for their role in exchanging the Bitcoin payments gathered in SamSam ransomware attacks into Iranian rial.

Designation by the Treasury Department is a power granted by a 2001 executive order and means the agency can "freeze the assets of individuals and groups who seek out to commit terrorist acts, as well as those entities who attempt to support them."

"Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims.  As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes," Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence said in a statement.  "We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives."

The two Bitcoin addresses identified by the Treasury Dept. in connection with SamSam ransomware attacks were used "to process over 7,000 transactions, to interact with over 40 exchangers -- including some US-based exchangers -- and to send approximately 6,000 bitcoin worth millions of USD, some of which involved bitcoin derived from SamSam ransomware.

The Treasury Department said designating the two men will result in "all property and interests in property of the designated persons that are in the possession or control of U.S. persons or within or transiting the United States are blocked, and U.S. persons generally are prohibited from dealing with them." However, it is unclear what exactly this will mean in practice because the list of transactions on those addresses show the threat actors routinely transferred out any payments made soon after receipt, so neither address held much currency at any given time.

Dig Deeper on Security operations and management