Two Iranian Hackers Indicted for SamSam Ransomware Attacks

The U.S. Department of Justice (DOJ) has announced that two threat actors responsible for SamSam ransomware attacks over the past two years have been indicted. Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi have been operating in Iran since 2016 and are believed to be behind the attacks.

The DOJ has been investigating the attacks and has been attempting to identify the individuals responsible and has received asistance from the UK’s National Crime Agency and West Yorkshire Police, the Royal Canadian Mounted Police and the Calgary Police Service. The DOJ stated that this is the first time that the U.S. has indicted criminals for a for-profit ransomware, hacking, and extortion case.

Both individuals have been been indicted on four counts:

  • Deliberate damage to a protected computer
  • Sending a demand in connection with damaging a protected computer
  • Conspiracy to commit fraud and associated computer activity
  • Conspiracy to commit wire fraud

The threat actors behind the SamSam ransomware attacks first gain access to computer systems before manually deploying ransomware. They exploit vulnerabilities and most commonly use brute force tactics on RDP to access to systems. They spend time learning about the network architecture and move laterally to infect as many devices as possible before executing the encryption routine.

This method of attack enables the attackers to cause the maximum amount of damage and command large ransom payments. Typically, ransoms of $5,000 to $50,000 are issued, with the ransom dictated by the extent of encryption and the perceived ability of the organization to pay.

The attacks have been conducted over a period of two years, during which time $6,000,000 in ransom payments have been collected from approximately 200 victims. Even if organizations are able to recover without paying the ransom, substantial losses are suffered. According to the DOJ’s estimates, besides the ransom payments, the attacks have resulted in businesses suffering losses of more than $30 million from downtime associated with the attacks.

The SamSam ransomware gang has a long list of victims including the cities of New Jersey, Newark and Atlanta, the Port of San Diego and the Colorado Department of Transportation. From the healthcare industry, their victims include Adams Memorial Hospital, Allied Physicians of Michiana, Allscripts, Hancock Health, Kansas Heart Hospital, Nebraska Orthopedic Hospital, Cass Regional Medical Center, LabCorp of America and MedStar Health.

Based on research by Sophos, 26% of the attacks targeted healthcare organizations, 13% targeted government agencies, 11% targeted educational institutions, and 50% targeted private organizations. The attacks were mostly on organizations in the U.S., though some victims were based in Canada, the Middle East and the UK.

The DOJ described the SamSam ransomware gang as involved in a serious kind of 21st-century digital blackmail, targeting and extorting susceptible victims such as hospitals and educational institutions. The DOJ will keep on working with international authorities to collect evidence and to bring those responsible to account for their crimes. The DOJ is also raising awareness that businesses of all sizes are in danger of being attacked with ransomware and should therefore take steps to ensure their systems are secure and data recovery is possible without having to pay a ransom.