The United States has reportedly indicted two Iranians for launching a major cyber-attack using ransomware known as “SamSam,” Reuters reported.
According to the report, the US also sanctioned two others for helping exchange the ransom payments from Bitcoin digital currency into rials.
The scheme reportedly ran over 34 months wreaking havoc on hospitals, schools, companies and government agencies, including the cities of Atlanta, Georgia, and Newark, New Jersey, causing over $30 million in losses to victims and allowing the alleged hackers to collect over $6 million in ransom payments.
The deployment of the SamSam ransomware represented some of the highest profile cyber-attacks on US.
The six-count indictment, unsealed in the District Court for the District of New Jersey, charges Iran-based Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud related to computers, and other counts accusing them of intentionally damaging protected computers and illegally transmitting demands related to protected computers, Reuters reported.
Assistant Attorney General Brian Benczkowski has announced criminal charges on Wednesday, saying, “The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail.”
Several cybersecurity experts have shared insights on the indictment and the impact of the ransomware attack.
Kimberly Goody, manager, cybercrime analysis, FireEye, said, “FireEye has tracked SamSam activity dating back to late 2015, impacting organisations across multiple industry verticals. Notably, the indictment highlights numerous healthcare and government organisations that have been targeted. It is possible that the operators chose to target these organisations since they provide critical services and believed their likelihood of paying was higher as a result.
According to Goody, one of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors. While indiscriminate targeting is still heavily relied on by other actors likely to bolster operational scalability, there has been an increasing number of threat actors actively engaged in, more “targeted” attacks in which ransomware is deployed post-compromise. “In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organisations to pay.
“It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing payment card data, and we have also seen the deployment of cryptocurrency miners in victim environments,” she added.
“The impact that these indictments will have is unclear since the individuals are purportedly located in Iran and remain at large.”
Chester Wisniewski, principal research scientist, Sophos, highlighted that SamSam’s human-centered approach has proved successful, with the authors of the ransomware collecting an estimated $6.5m over the course of almost three years.
“The attacks were more cat burglar in style – they strategically happened when victims were asleep, indicating that the attacker carries out reconnaissance on victims and carefully plans who, what, where and when attacks will happen,” he said.
“In these attacks, cybercriminals target weak entry points and brute-force Remote Desktop Protocol (RDP) passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware. By the time most IT managers notice what’s happening, the damage is done. Other cybercriminals have taken note, and in 2019 we expect copycat attacks,” he added.
Wisniewski noted that Sophos’ research suspected that this was a small group of people by the degree of operational security they employed.
“They were not braggarts or noisy on dark web forums as is typical of many amateurs. Some of the grammatical and punctuation tics Sophos saw may have been due to the threat actors’ not being native English speakers,” he said.
“Tehran’s time zone is GMT+3:30 and that may have been evident in the compile times of the malware samples we analysed, and the threat actor’s “work hours” were consistent with this time zone. The Sophos SamSam report and 2019 Threat Report explain in detail how they operated with their attacks. Their TTP was unique and employed some very intriguing protection measures that evolved over time. Sadly, they have inspired a whole new generation of attacks that are using the same playbook against other large and mid-sized organisations. Sophos details immediate steps businesses need to take in its reports on SamSam and the SophosLabs 2019 Threat report, not only because these cybercriminals are still on the run, but because they have inspired others to follow in their footsteps.
“This goes to show that no amount of malicious code, covert operations and cryptocurrency puts a criminal beyond our ability to identify and bring forth charges for stealing and extorting money from innocent people. By identifying the Bitcoin wallets associated with this criminal activity they have essentially marked them as poison. Anyone who attempts to help launder those cryptocurrencies and assists in converting them to real money will be an accessory to the crimes alleged to have been committed,” Wisniewski.