[BreachExchange] Two Iranians Charged in SamSam Ransomware Attacks

[Destry Winant]

https://www.databreachtoday.com/two-iranians-charged-in-samsam-ransomware-attacks-a-11741

A federal grand jury has indicted two Iranians for allegedly waging
SamSam ransomwareattacks on more than 200 entities, including Atlanta
and other municipalities and six healthcare organizations. They
collected $6 million in ransoms and caused more than $30 million in
losses to victims, prosecutors allege.

In a statement issued Wednesday, the U.S. Department of Justice
announced that a Newark, New Jersey federal grand jury returned an
indictment charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi
Shah Mansouri, 27, in connection with a 34-month-long international
computer hacking and extortion scheme involving the deployment of
sophisticated ransomware.

"The allegations in the indictment unsealed today - the first of its
kind - outline an Iran-based international computer hacking and
extortion scheme that engaged in 21st-century digital blackmail."
—Assistant Attorney General Brian Benczkowski

The six-count indictment alleges that Savandi and Mansouri, acting
from inside Iran, authored SamSam malware that forcibly encrypted data
on the computers of victims.

"The allegations in the indictment unsealed today - the first of its
kind - outline an Iran-based international computer hacking and
extortion scheme that engaged in 21st-century digital blackmail," said
Assistant Attorney General Brian Benczkowski of the Justice
Department's Criminal Division.

"These defendants allegedly used ransomware to infect the computer
networks of municipalities, hospitals and other key public
institutions, locking out the computer owners, and then demanded
millions of dollars in payments from them."

The DOJ alleges that beginning in December 2015, Savandi and Mansouri
accessed the computers of victim entities without authorization
through security vulnerabilities and installed and executed the SamSam
ransomware, resulting in the encryption of data on the victims'
computers.

According to the indictment, Savandi and Mansouri then extorted
victims by demanding a ransom paid in bitcoin in exchange for
decryption keys, collected ransom payments from some of the victims,
and then exchanged the bitcoin proceeds into Iranian rial using
Iran-based bitcoin exchangers.

Many Victims

Prosecutors say the list of more than 200 victims includes the cities
of Atlanta and Newark; the Port of San Diego, California; the Colorado
Department of Transportation; and the University of Calgary in
Calgary, Alberta, Canada. Also among those attacked were six
healthcare-related entities: Hollywood Presbyterian Medical Center in
Los Angeles; Kansas Heart Hospital in Wichita, Kansas; Laboratory
Corporation of America Holdings, more commonly known as LabCorp,
headquartered in Burlington, North Carolina; MedStar Health, based in
Columbia, Maryland; Nebraska Orthopedic Hospital, now known as
OrthoNebraska Hospital, in Omaha, Nebraska; and Allscripts Healthcare
Solutions Inc. in Chicago.

"According to the indictment, the hackers infiltrated computer systems
in 10 states and Canada and then demanded payment. The criminal
activity harmed state agencies, city governments, hospitals and
countless innocent victims," said Deputy Attorney General Rod
Rosenstein.

Savandi and Mansouri are charged with one count of conspiracy to
commit wire fraud, one count of conspiracy to commit fraud and related
activity in connection with computers, two counts of intentional
damage to a protected computer and two counts of transmitting a demand
in relation to damaging a protected computer.

Prosecutors allege that Savandi and Mansouri created the first version
of the SamSam ransomware in December 2015 and then created refined
versions in June and October 2017.

In addition to using Iran-based bitcoin exchangers, the indictment
alleges that the defendants also used overseas computer infrastructure
to commit their attacks. Savandi and Mansouri allegedly used
sophisticated online reconnaissance techniques - such as scanning for
computer network vulnerabilities - and conducted online research to
select and target potential victims, according to the indictment.

The two alleged hackers also disguised their attacks to appear like
legitimate network activity, prosecutors contend.

To carry out their scheme, the indictment alleges, the defendants also
employed the use of Tor, a computer network designed to facilitate
anonymous communication over the internet.

Maximizing the Damage

Prosecutors allege the two defendants maximized the damage caused to
victims by launching attacks outside regular business hours, when a
victim would find it more difficult to mitigate the attack, and by
encrypting backups of the victim organization's computers.

"This was intended to - and often did - cripple the regular business
operations of the victims," according to the indictment.

For instance, the cyberattack on MedStar Health, a 10-hospital system
serving Maryland and the Washington, D.C. area, forced the
organization to shut down many of its systems to avoid the spread of
the malware, disrupting patient care delivery for several days.

Prosecutors said the most recent alleged ransomware attack targeted
the Port of San Diego on Sept. 25.

Sanctions Imposed

In addition to the DOJ indictments of Savandi and Mansouri, the U.S.
Treasury Department's Office of Foreign Assets Control announced
Wednesday that it imposed sanctions against two other Iran-based
individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan. Treasury
Department officials say these two allegedly helped exchange bitcoin
ransom payments into Iranian rial on behalf of the pair of Iranian
hackers allegedly involved with the SamSam ransomware scheme.

Also, the Treasury Department said it identified two digital currency
addresses associated with these two financial facilitators. More than
7,000 transactions in bitcoin, worth millions of U.S. dollars, have
processed through these two addresses - some of which involved SamSam
ransomware derived bitcoin, the Treasury Department said.

"Treasury is targeting digital currency exchangers who have enabled
Iranian cyber actors to profit from extorting digital ransom payments
from their victims," says Sigal Mandelker, Treasury's under secretary
for terrorism and financial intelligence. "As Iran becomes
increasingly isolated and desperate for access to U.S. dollars, it is
vital that virtual currency exchanges, peer-to-peer exchangers and
other providers of digital currency services harden their networks
against these illicit schemes."

Mandelker also noted: "We are publishing digital currency addresses to
identify illicit actors operating in the digital currency space.
Treasury will aggressively pursue Iran and other rogue regimes
attempting to exploit digital currencies and weaknesses in cyber and
AML/CFT [Anti-Money Laundering and Combating the Financing of
Terrorism] safeguards to further their nefarious objectives."

A Symbolic Move?

It seems unlikely that the two Iranians indicted in connection with
the SamSam attacks will be arrested and held accountable in a federal
court because the United States does not have an extradition treaty
with Iran.

"These cases are mostly symbolic," Leroy Terrelonge, an analyst with
cyber intelligence firm Flashpoint, tells Reuters.

Kimberly Goody, who manages financial crime analysis for cybersecurity
firm FireEye, tells Reuters that the SamSam hackers might take a break
to modify their operations to make them more difficult to identify and
block. "There may be a lull but I would expect them to continue," she
says.

Nevertheless, Rosenstein, the deputy attorney general, said at a
Wednesday press conference that he remains confident the suspects will
be apprehended, according to Reuters. "American justice has a long arm
and we will wait and eventually, we are confident that we will take
these perpetrators into custody," he said.

Not Unusual Step

Privacy attorney Iliana Peters of the law firm Polsinelli tells
Information Security Media Group that it's not unusual for federal law
enforcement authorities to indict hackers or other cybercriminals for
crimes committed against U.S. healthcare organizations. Federal
agencies encourage victims to cooperate with law enforcement
investigations.

"It is not unusual for DOJ, FBI, and/or Secret Service to take these
steps. They routinely do these types of investigations and
indictments. This is a large part of the work of cyber-crimes units,
and that's a good thing for healthcare entities," Peter says.

Guidance that the Department of Health and Human Services' Office for
Civil Rights issued after the WannaCry attack last year "makes very
clear that a HIPAA covered entity's or business associate's second
step after an attack, after working to stop the security incident
itself, is to contact law enforcement, not only because they may have
an ongoing case, but also because they may be able to help the entity
recover from the particular attack," she says.