WhamWham, bambam, no thank you, SamSam: Iranians accused by the Feds of orchestrating ransomware outbreak

US prosecutors have this week charged two people believed to be behind the notorious SamSam ransomware outbreak.

The Department of Justice claims Iranian nationals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri masterminded the infection of more than 200 networks, including a handful of city governments and hospitals in the US and Canada.

Each of the accused has been indicted (PDF) on one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer and two counts of transmitting a demand in relation to damaging a protected computer.

Both men are at large, and wanted by the FBI. There is thus no guarantee they will ever appear in a US court.

"The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rod Rosenstein. "According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims."

Extorted

SamSam has been active for nearly three years now, spanning from December of 2015 to September of 2018. The document-scrambling nasty encrypts file systems of infected Windows machines, and then demands payment in Bitcoin in exchange for the decryption keys to restore people's data. Among the victims of this cyber-infestation were the city governments of Atlanta, GA and the Port of San Diego, CA.

The DoJ estimates that the scheme earned the duo around $6m in ransom payouts, though as Rosenstein noted, the ransomware itself caused around $30m in damages and recovery costs.

The indictment goes on to explain how the duo would run recon operations to scope out potential targets. The hackers would then run their connections through Tor to hide their location, then time the attacks specifically to target companies during off hours in order to spread the malware before it could be detected and infect backup archives in order to further convince victims to pay the ransom demands.

"The defendants chose to focus their scheme on public entities, hospitals, and municipalities," Rosenstein noted.

"They knew that shutting down those computer systems could cause significant harm to innocent victims."

Prosecutors did not say when, if ever, they expect to somehow extradite the Iran-based duo to face trial in the States.

The US government has, however, moved to cut off the duo's financial pipeline. The Treasury Department is publishing the Bitcoin addresses – 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V – that Savandi and Mansouri apparently used to collect ransomware payments. The Feds urged cryptocurrency exchanges not to process transactions involving either address.

"Like traditional identifiers, these digital currency addresses should assist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses," the Treasury Department noted.

"As a result of today’s action, persons that engage in transactions with Khorashadizadeh and Ghorbaniyan could be subject to secondary sanctions." ®