Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by a federal grand jury in New Jersey on six counts of wire fraud and computer hacking in a nearly three-year blitz that caused an estimated $30 million in damage. The scheme allegedly netted the cyber kidnappers at least $6 million, the feds said, gained from extorting ransom paid in Bitcoin they subsequently exchanged into Iranian rial.
According to the indictment, Savandi and Mansouri unleashed SamSam on some 200 victims, included hospitals, municipalities and public institutions. Government officials called the extortion “21st century digital blackmail.” Of note, some of the casualties, including the City of Atlanta, declined to pay the $50,000 ransom, instead opting to reconstruct their networks with the help of cybersecurity experts. Atlanta ended up doling out roughly $17 million in recovery costs for services, software and infrastructure upgrades.
Other prominent U.S. victims included the City of Newark, New Jersey, the Colorado Department of Transportation, the Port of San Diego and six healthcare related services. Security provider Symantec figured that SamSam infected 67 organizations in the last 10 months. Of those, 56 were located in the U.S. and the remainder occurred in Australia, Canada, France, Israel and Portugal.
“The hackers infiltrated computer systems in 10 states and Canada and then demanded payment,” said U.S. Deputy Attorney General Rod Rosenstein. “The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”
Savandi and Mansouri are said to have created the first version of SamSam in December 2015 and refined the code in June and October 2017. The indictment also alleges the defendants maximized the damage by launching attacks outside regular business hours when it would be harder for security teams to mitigate the infection, and by encrypting backups of the victims’ computers. The most recent ransomware attack alleged in the indictment took place two months ago to the Port of San Diego.
Cybersecurity pros weighing in on the indictment pointed to the tactics and demeanor of the hackers and the increasing sophistication of their malicious code. Sophos said it expected the attacks were carried out by a small group, owing to how the perps operated. “They were not braggarts or noisy on dark web forums as is typical of many amateurs,” Chester Wisniewski, Sophos principal research scientist, told MSSP Alert in an email. “In these attacks, cybercriminals target weak entry points and brute-force remote desktop protocol passwords. By the time most IT managers notice what’s happening, the damage is done. Other cyber criminals have taken note, and in 2019 we expect copycat attacks.”
In a Secureworks’ new State of Cybercrime report, researchers found that there has been no significant drop in volume of ransomware. Instead, the attacks are becoming more sophisticated. The study’s findings showed 257 new families of ransomware and new trends towards ransomware-as-a-service with regular updates and adaptations.
Both Savandi and Mansouri are still wanted by the FBI. But don’t expect either to be arrested and extradited to the U.S. to face charges anytime soon. The best the feds can hope for is the two ransomware hackers will be apprehended in a country where they can be detained.
Notable SamSam victims include:
- The City of Atlanta, Georgia
- The City of Newark, New Jersey
- The Port of San Diego, California
- The Colorado Department of Transportation
- The University of Calgary in Calgary, Alberta, Canada
- Hollywood Presbyterian Medical Center in Los Angeles, California
- Kansas Heart Hospital in Wichita, Kansas
- LabCorp, headquartered in Burlington, North Carolina
- MedStar Health, headquartered in Columbia, Maryland
- OrthoNebraska Hospital, in Omaha, Nebraska
- Allscripts Healthcare Solutions, headquartered in Chicago, Illinois