Iranian duo charged with SamSam ransomware-slinging campaign

Symbolic charges

US authorities have charged two Iranian alleged hackers with extorting $6 million from victims using the infamous SamSam ransomware.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, allegedly masterminded a three year long international computer hacking and extortion scheme targeting corporate users with the SamSam ransomware since December 2015.

Munipal computers in the US city of Atlanta were infamously rendered unusable due to SamSam back in March.

Other victims have included hospital facilities and corporates including the City of Newark, New Jersey; the Port of San Diego, California; the Colorado Department of Transportation; and the University of Calgary in Alberta, Canada.

The various healthcare-related organizations affected included the Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita, Kansas; LabCorp; MedStar Health; and Allscripts Healthcare, among others.

Victims incurred losses totaling $30 million in infection clean-up costs, according to a US indictment, released on Wednesday.

Extortionate demands

Unlike most types of ransomware attacks, SamSam infections typically begin with the exploitation of poorly secured web apps or a Remote Desktop Protocol compromise of an internal PC.

Compromised devices are used as a base to scan internal network and exploit vulnerabilities.

The end game in attacks typically involves an attempt to push ransomware installers onto Domain Administrator machines before distributing malware to connected workstations, where it encrypted and locked up files.

Victims were confronted with demands to ransoms as high as the equivalent of $50,000 in or more bitcoin in return for the private keys needed to decrypt data.

The extortionate demands were far higher than in most ransomware attacks, where payouts in the $400-$1,000 range are more typical.

Little chance of extradition

US authorities allege Savandi and Mansouri used Iranian bitcoin exchanges, among other facilities, to cash out their ill-gotten gains

Savandi and Mansouri are each charged with computer hacking and money laundering offences or more specifically “one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer”.

Both suspects are based in Iran so – unless they are foolish enough to travel to a country from which they might be extradited to the US – the charges are more about the US sending a political message to Tehran than putting together a criminal prosecution that’s ever likely to be tried in court.

Irrespective of the charges, targeted ransomware attacks involving SamSam or similar malware remain a real threat to government and large corporations, particularly in the healthcare sector.

Countermeasures against SamSam involve applying restricted access to port 3389 (Remote Desktop Protocol) along with general good security hygiene practices such as regular backups and patching.