DOJ Charges Two Iranian Hackers for Part in SamSam Ransomware Attacks

Dec 1, 2018


The U.S. Department of Justice has proclaimed substantial progress has been made in the scrutiny of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over a previous couple of years.

The DOJ, helped the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have recognized two Iranians who are supposed to be behind the SamSam ransomware attacks.

Both persons – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been working out of Iran since 2016 and have been charged on four allegations:

  • Plan to commit a scam and related computer activity
  • Plan to commit wire fraud
  • Deliberate damage to a safeguarded computer
  • Conveying a demand in relation to damaging a safeguarded computer

The DOJ reports that this is the first ever U.S. charge against offenders over a for-profit ransomware, hacking, and extortion scheme.

In contrast to many threat actors who use ransomware for coercion, the SamSam ransomware group carries out targeted, manual attacks on businesses. Most ransomware bands use spam electronic mail and other mass distribution methods to infect as many people as possible.

The SamSam ransomware group abuses weaknesses and carries out brute force RDP attacks to gain access to systems, then examines networks and moves laterally before manually positioning ransomware on as many computers as possible.

This method of attack lets the threat actors cause maximum damage. With a large proportion of a company’s computers and systems taken out of action, the band can issue big ransom demands. The ransoms demanded are usually in the range of $5,000 to $50,000, with the amount based on the number of appliances that have been encrypted.

In the two years that the band has been positioning SamSam ransomware, roughly $6,000,000 in ransom payments have been collected from about 200 sufferers. Many sufferers picked not to pay the ransom demands but still incurred substantial expenses mitigating the attacks. The DOJ approximates that in addition to the ransom payments, additional losses from stoppage because of the attacks has exceeded $30 million.

The gang’s list of sufferers is long and contains the Colorado Department of Transportation, the cities of Newark, New Jersey, Atlanta, and the Port of San Diego. Healthcare industry sufferers include Hancock Health, LabCorp of America, Nebraska Orthopedic Hospital, Cass Regional Medical Center, Allied Physicians of Michiana, Kansas Heart Hospital, Adams Memorial Hospital, Allscripts, and MedStar Health.

Research by Sophos shows 26% of attacks were on the healthcare companies, 13% were on government organizations, 11% were on educational institutes, and 50% were on private businesses. The attacks have mainly been carried out on companies in the United States, with other sufferers spread across Canada, the UK, and the Middle East.

The DOJ said the SamSam ransomware band “engaged in a risky form of 21st-century digital blackmail, attacking and forcing weak sufferers like hospitals and schools, sufferers they knew would be willing and able to pay.”

The DOJ will carry on to work with global law enforcement organizations to collect proof and bring those answerable to justice.

The DOJ has also taken the chance to spread the message that all industry segments are at risk of being attacked. “This charge emphasizes the need for companies, healthcare institutes, universities, and other units to highlight cybersecurity, increase threat consciousness, and harden their computer networks,” wrote the DOJ in a press release declaring the indictment.