Iranian Nationals Charged In Samsam Ransomware Probe

Two Iranian men were behind the destructive SamSam ransomware outbreak that affected hundreds of organisations around the world, including the City of Atlanta, a Los Angeles hospital and the Port of San Diego, and caused more than $30 million (£24m) in damage, according to new charges issued by the US Justice Department.

The destructive ransomware strain was first developed in 2015, before being issued in a refined form last year, the DOJ said.

In some cases those affected paid more than $50,000 in Bitcoin to recover access to their computer systems.

“The allegations in the indictment unsealed today – the first of its kind – outline an Iran-based international computer hacking and extortion scheme that engaged in a 21st-century digital blackmail,” said US assistant attorney general Brian Benczkowski.

Bitcoin money-laundering charges

The US Treasury also sanctioned two other Iranian men for facilitating the exchange of Bitcoin paid in ransom into Iran’s currency.

It specified two Bitcoin wallets used to send and receive the funds, meaning that Bitcoin trading platforms could face penalties for carrying out transactions with the accounts.

The move marks the first time the US has carried out sanctions involving a digital currency.

The FBI acknowledged that the two Iranians allegedly behind SamSam, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, were beyond the reach of US authorities, but said they could be apprehended if they travel.

“The United States is exploring other avenues of recourse,” the FBI said.

US authorities have, in the past, worked with other countries to arrest those charged with cybercrimes when they travel, including Russian national Pyotr Levashov, an alleged botnet operator who was arrested in Barcelona last year whilst on holiday with his wife, son and a friend.

The US has recently taken to naming foreign individuals allegedly involved with high-profile cyber-crimes, charging Russian military intelligence officers with hacking and saying a North Korean programmer was behind the 2017 WannaCry ransomware outbreak, the 2014 attack on Sony Pictures Entertainment  and other hacking incidents.

High-profile incidents

While not particularly advanced, SamSam has been behind a number of high-profile incidents.

It affected at least 230 targets around the world, with most in the US, including the Hollywood Presbyterian Medical Center in Los Angeles, which had to turn away patients in early 2016.

Five government departments were affected in Atlanta, barring residents from paying utility bills and forcing police officers to rever to paper reports.

Targets in the UK and Canada were also affected, according to the FBI.

It said the two hackers who launched SamSam netted more than $6m in Bitcoin.

“The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private entities hostage and then extort money from them,” said US Attorney Craig Carpenito of the District of New Jersey.

“This indictment demonstrates the FBI’s continuous commitment to unmasking malicious actors behind the world’s most egregious cyber attacks,” said FBI executive assistant director Amy Hess.