Iranian SamSam Ransomware Identified  by OFAC and DOJ

A coordinated effort across U.S. and International law enforcement agencies has set new compliance precedents for companies or individuals that are forced to pay for ransomware using cryptocurrency.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and U.S. Department of Justice has indicted two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan. The indicted were charged with exchanging bitcoin ransom payments derived from SamSam Ransomware payments into Iranian rial, and also deposited the rial into Iranian banks.  

OFAC highlighted two digital currency addresses belonging to the indicated that processed over 7,000 transactions, interacted with over 40 exchanges, including some US-based exchangers, and sent approximately 6,000 bitcoin worth millions of USD. Blended into these sums were bitcoin derived from SamSam ransomware.  

Federal Agencies are taking a hard line on cryptocurrency compliance

In addition to the indictments, Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims.

The unprecedented step of publishing digital currency addresses to identify illicit actors operating in the digital currency space indicates that Treasury is taking an aggressive stance towards compliance in the digital currency communities. As a result of Treasury’s action, persons that engage in transactions with these wallets or future wallets published by OFAC could be subject to secondary sanctions. This may include any company that pays for ransomware and unknowingly pays into a wallet address on the OFAC list.

Ransomware Payment Compliance is now a requirement

Previous to the actions by OFAC both federal agencies and private organizations have recognized the need for victims of ransomware to transact safely. Now that OFAC has begun publishing wallet address on its updated lists, victims of ransomware need to understand the risks they are taking when considering paying for ransomware. As stated in our first words to the public, and as any client of ours knows, we take compliance seriously and have already updated our own internal compliance procedures in response to OFAC’s new publication. As these new measures further unfold, we will continue to take a proactive stance towards ensuring that the facts and circumstances of our clients cases consider these new compliance mandates.

SamSam Ransomware targets high profile organizations

SamSam ransomware has targeted over 200 known victims in the United States, United Kingdom, and Canada since 2015.  SamSam ransomware attacks typically begin with compromised Remote Desktop Protocol to gain administrator rights that allow them to take control of a victim’s servers and files, without the victim’s authorization.  The cyber actors then demand a ransom be paid in bitcoin in order for a victim to regain access and control of its own network.

The debate on paying ransomware continues as SamSam claims more victims

SamSam ransomware continues to affect organizations worldwide, though the most infamous case involves a US hospital. The SamSam attack on Hollywood Presbyterian Hospital near Los Angeles shut down systems across its facility, blocked access to patient medical records, MRIs, X-rays and blood tests.  Patients were turned away for a week, until the hospital ultimately paid a $17,000 ransom.

This SamSam ransomware attack sparked a debate over whether or not companies should pay ransoms to  decrypt critical data. The debate continued following the City of Atlanta’s decision not to pay a $50k ransom and instead spend millions of taxpayer dollars to rebuild their IT.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/2018/11/29/iranian-samsam-ransomware-identified-by-ofac-and-doj