Today, the U.S. Department of Justice announced the unsealing of an indictment in the District of New Jersey, charging two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, with conducting a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware against more than 200 victims, including hospitals, municipalities, and public institutions. Both defendants are charged with conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, transmitting a demand in relation to damaging a protected computer.
According to the indictment, the defendants, acting from inside Iran, authored malware, known as “SamSam Ransomware,” that was capable of forcibly encrypting data on the computers of victims. Beginning in December 2015, the defendants allegedly accessed the computers of victim entities without authorization through security vulnerabilities, and installed and executed the SamSam Ransomware on the computers, which resulted in the encryption of data on the victims’ computers. In committing their attacks, the defendants allegedly used overseas computer infrastructure and sophisticated online reconnaissance techniques (e.g., scanning for computer network vulnerabilities), and conducted online research in order to select and target potential victims. In some cases, they would also disguise their attacks to look like legitimate network activity.
Once SamSam was deployed on targeted computers, the defendants allegedly
would then extort victim entities by demanding a ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collecting ransom payments from victim entities that paid the ransom, and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchangers. The indictment alleges that, as a result of their conduct, Savandi and Mansouri have collected over $6 million USD in ransom payments to date, and caused over $30 million USD in losses to victims.
Note: Financial-crimes compliance and information-security officers should use this indictment as an opportunity to remind corporate officers and employees, at all levels, of the risks that ransomware can pose to their companies’ capacity to conduct critical operations, as well as their obligation to comply fully with corporate cybersecurity requirements. As cybersecurity firm Malwarebytes previously observed, to gain initial access SamSam uses not only sophisticated exploitation of vulnerabilities in remote desktop protocols, Java-based web servers, and file transfer protocol servers, but also the unsophisticated but still effective approach of “brute force” attacks against weak passwords.
The consequences of failing to guard against ransomware such as SamSam on all fronts has been catastrophic to various businesses. Among other SamSam victims, the City of Atlanta, which reportedly refused to pay the ransom, may need as much as $17 million to remediate the damage, and an Indiana hospital, which reportedly chose to pay the ransom, nonetheless was reduced at one point to working with pen and paper before systems could be restored. Because the cybersecurity community by now is well aware of the vectors and techniques behind SamSam, chief information security officers need to ensure that their companies’ ransomware defenses are robust and timely updated.
In his remarks concerning the indictment, Assistant Attorney General for the Criminal Division Brian A. Benczkowski stated that “the Criminal Division and its law enforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and institutions, regardless of where those criminals may reside.” That statement is more than high-sounding rhetoric. The unsealing of the indictment and the FBI’s issuance of a “Wanted by the FBI” for both men indicate that the Department, as it has done in other serious criminal cases involving defendants in foreign jurisdictions, is prepared to be patient and wait – for years if necessary – for an opportunity to apprehend and extradite the defendants.