The United States has indicted two Iranians for launching a major cyber attack using ransomware known as “SamSam” and sanctioned two others for helping exchange the ransom payments from Bitcoin digital currency into rials, Reuters reported.
The scheme reportedly ran over 34 months wreaking havoc on hospitals, schools, companies and government agencies, including the cities of Atlanta, Georgia, and Newark, New Jersey, causing over $30 million in losses to victims and allowing the alleged hackers to collect over $6 million in ransom payments.
The deployment of the SamSam ransomware represented some of the highest profile cyber-attacks on US.
The six-count indictment, unsealed in the District Court for the District of New Jersey, charges Iran-based Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud related to computers, and other counts accusing them of intentionally damaging protected computers and illegally transmitting demands related to protected computers, Reuters reported.
“The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said assistant attorney general Brian Benczkowski.
Several cybersecurity experts have shared insights on the indictment and the impact of the ransomware attack.
Kimberly Goody, manager, cybercrime analysis, FireEye, said, “FireEye has tracked SamSam activity dating back to late 2015, impacting organisations across multiple industry verticals. Notably, the indictment highlights numerous healthcare and government organisations that have been targeted. It is possible that the operators chose to target these organisations since they provide critical services and believed their likelihood of paying was higher as a result.
According to Goody, one of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors. While indiscriminate targeting is still heavily relied on by other actors likely to bolster operational scalability, there has been an increasing number of threat actors actively engaged in, more “targeted” attacks in which ransomware is deployed post-compromise.
“In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organisations to pay.”
“It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing payment card data, and we have also seen the deployment of cryptocurrency miners in victim environments,” she added.
