The port of San Diego. The city of Atlanta. Kansas Heart Hospital. Those are just a few of the more than 200 municipalities, universities, hospitals, and other targets that have fallen victim to SamSam, a pernicious strain of ransomware that has spent the past three years rampaging throughout the US. On Wednesday, the Justice Department indicted two Iranian men allegedly behind the attacks.
The six-count indictment (embedded in full below) alleges that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, both Iranian nationals, created SamSam and deployed it to devastating effect. In all, the Justice Department estimates that the hackers collected around $6 million in ransom payments from victims, while causing $30 million of damage.
“SamSam ransomware is a dangerous escalation in cybercrime,” said US Attorney Craig Carpenito at a Wednesday press conference announcing the charges. “This is a new type of cybercriminal. Money is not their sole objective.”
At the very least, the way the SamSam hackers went about acquiring that money sets them apart from the typical ransomware attacker. “Most ransomware is delivered via a phishing email with a malicious attachment,” says Jake Williams, founder of cybersecurity firm Rendition Infosec. “We don’t see that with SamSam. SamSam does something a little bit different.”
Rather than blast out phishing emails and passively wait to see who bites, the indictment alleges that Savandi and Mansouri conducted reconnaissance on specific targets—like hospitals and cities—that a systemwide shutdown would impact the most. They then took advantage of lacking cybersecurity hygiene, like passwords that could be guessed with a brute force attack, to get an initial foothold into a system.
“We’ve never been aware of [the SamSam attackers] using social engineering or traditional malware attacks to gain access to systems. It’s either been through vulnerabilities in web applications or weak authentication, stuff that does not require action on the part of the victim,” says Keith Jarvis, senior security researcher at SecureWorks, a cybersecurity firm that has tracked SamSam infections.
Not only does that show the relative sophistication of the SamSam hackers, it also makes the attacks much harder to defend against. Rather than infect a single workstation, the ransomware can seize up a dozen or more critical servers. Think of it as the difference between a robber who walks down the street knocking on every door to see who opens it, and one who takes the time to pick the lock and dismantle the security system.
“They will silently move through the network and locate additional machines for exploiting inside that network. We’ve seen a couple of cases where they’ve targeted online backups and deleted those online backups before they begin the encryption process,” says Williams. “They’re not the only group that does it, but they’re definitely the best known group that does it.”
Why the extra effort? Because a hospital in that situation would be that much more likely to pay up. The FBI recommends that ransomware victims hold out, but that’s not always practical when you have, say, an entire city to run.
Wednesday’s indictment doesn’t contain that much more information about SamSam than was previously known, aside from the identity of the alleged perpetrators. Even that may not be as salacious as it seems; despite a recent uptick in state-sponsored Iranian cyberattacks, the pair have no apparent government ties.
Of more interest may be the hints at how the feds traced the crimes back to their origins. While details there are scant, the indictment does indicate that investigators acquired not only chats between the alleged malware perpetrators and the bitcoin exchanges in which they laundered their proceeds, but also the specific bitcoin addresses associated with the attacks. In a first, the Treasury Department Wednesday imposed sanctions against those addresses, which combined had processed more than 7,000 transactions.
“The criminals believed they were masking their identities on the dark web. However, this case shows that anonymizers may not make you as anonymous as you think you are. They used bitcoin to avoid detection, but this case shows that the digital currency can be traceable,” said FBI executive assistant director Amy Hess at a press conference Wednesday.
It remains to be seen whether the indictment actually stops or even slows SamSam attacks. “In the past, it’s been shown that without both a legal action and a technical operation against them, cybercriminals are more likely to continue their attacks,” says Jarvis. “In this case there really wasn’t any sort of technical operation that stops them from committing these crimes now or in the future.”
Because the US has no extradition treaty with Iran, the pair seem unlikely to be apprehended. And given that their targets comprised Iranian adversaries—the attacks overwhelmingly hit the United States, with scattered examples in the UK and Canada—it’s unclear whether Iranian law enforcement will go out of their way to interfere with their efforts. Jarvis says SecureWorks has seen fresh SamSam infections as recently as four days ago.
That doesn’t make the indictment just for show. Regardless of the impact on the alleged SamSam hackers specifically, the Justice Department made a statement that should resound among cybercriminals who rely on bitcoin and the dark web for anonymity.
“It absolutely adds a chilling effect,” Jarvis says. “It says you can make millions of dollars, and you can go untouched for years, but eventually you’re going to get named.”