The US Justice Department has charged two Iranian citizens for developing and using the notorious SamSam ransomware against hundreds of US organizations.
Prosecutors allege Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were behind a nearly three year ransomware spree that affected 200 organizations and caused $30 million in losses.
The pair have been charged with numerous computer crimes and acts of extortion that took place between December 2015 -- when the malware is believed to have been written -- and the last documented attack in September 2018.
Savandi and Mansouri were placed on the FBI’s most wanted list after a federal grand jury on Monday indicted the them on charges of fraud and intentionally damaging a protected computer. The charges were unsealed today in the District of New Jersey, which has a federal arrest warrant out for them.
SamSam stood apart from commercially available ransomware as it was never sold as a service on criminal forums and its operators were selective about the targets to deploy the malware, often identifying them via scanning the internet and manually exploiting vulnerabilities.
Often the attacks targeted systems running remote desktop protocol (RDP) exposed on the internet. Researchers found the group using a range of hacking tools, including the Mimkatz credential stealer.
As the sole operators of SamSam, Savandi and Mansouri are accused of attacks on LabCorp of America, MedStar Health, the City of Newark, New Jersey, the Colorado Department of Transportation, the Port of San Diego, and the Hollywood Presbyterian Medical Center in Los Angeles.
Some victim organizations paid as much $50,000 in exchange for the decryption key, collectively netting the pair $6 million in extortion payments, all paid in Bitcoin and cashed out through Iranian cryptocurrency exchanges.
“As the indictment in this case details, they started with a business in Mercer County and then moved on to major public entities, like the City of Newark, and healthcare providers, like the Hollywood Presbyterian Medical Center in Los Angeles and the Kansas Heart Hospital in Wichita—cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick, and the injured without interruption,” said Craig Carpenito, a US Attorney for the District of New Jersey.
Given the nearly 40 year pause on US-Iran diplomatic relations, it’s unlikely Savandi and Mansouri would be extradited to the US.
Nonetheless, the charges will make it risky for the two Iranian nationals to travel to any country the US has relations with. And in the case of Mansouri, the FBI has put a name and face to the SamSam attacks.
“As a result of the indictment, the defendants are now fugitives from justice. This case demonstrates the Department of Justice’s commitment to identifying and prosecuting cybercriminals, wherever they choose to base their operations,” said Brian Benczkowski, Assistant Attorney General for the Criminal Division of the DoJ.
“We will continue to work together with our law enforcement partners, here in the United States and around the world, along with victims, to gather evidence and build cases to ensure there are no safe havens for cybercriminals to operate.”
The indictment states that Savandi and Mansouri used two European virtual private server providers and the anonymizing network Tor to hide their identities and location during the attacks.
The pair also became more brazen over time, cutting reconnaissance time on targets from weeks in 2016 to days by 2018. They also disguised the ransomware encryption activities as legitimate network activity and carried out the attacks outside of normal business hours.