U.S. Charges Two Iranians for SamSam Ransomware Attacks

The U.S. Department of Justice has charged two Iranian men for creating and distributing a ransomware program called SamSam that caused massive disruptions in hospitals, municipalities and public institutions over the past few years.

SamSam appeared in late 2015 and immediately stood out because, unlike most ransomware at the time that spread through email phishing messages, it exploited vulnerabilities in publicly exposed services to gain a foothold inside networks.

SamSam attacks also involved a lot of manual hacking, with attackers deploying tools for lateral movement inside networks, which is more common for APT groups.

On Nov. 28, a grand jury in Newark, New Jersey, unsealed an indictment that charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, with multiple counts of conspiracy to commit wire fraud and causing damage to protected computers, in connection with the SamSam ransomware operation.

According to prosecutors, acting from inside Iran, Savandi and Mansouri managed to infect the computers of more than 200 organizations with the SamSam ransomware. The victims included the City of Atlanta; the City of Newark, New Jersey; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta, Canada; Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, aka LabCorp, headquartered in Burlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital, in Omaha, Nebraska and Allscripts Healthcare Solutions, headquartered in Chicago.

In many cases, the attacks severely disrupted the activity of the affected organizations, causing more than $30 million USD in losses. The prosecutors estimate that the suspects managed to extort and collect more than $6 million USD in Bitcoin ransom payments, which they then converted to local currency in their home country.

Over the past three years, SamSam’s creators continued to improve their malware and launch new attacks, the last one identified in the indictment dating from September this year. The attackers also conducted extensive online research to select their targets, including scanning exposed systems for known vulnerabilities. These included vulnerabilities in JBoss and other Java-based servers, Remote Desktop Protocol (RDP) services and FTP servers.

“As a result of the indictment, the defendants are now fugitives from justice,” Assistant Attorney General Brian A. Benczkowski said during a press conference. “This case demonstrates the Department of Justice’s commitment to identifying and prosecuting cybercriminals, wherever they choose to base their operations. We will continue to work together with our law enforcement partners, here in the United States and around the world, along with victims, to gather evidence and build cases to ensure there are no safe havens for cybercriminals to operate.”

With Savandi and Mansouri based in Iran and with little chance of them being extradited unless they leave the country, it remains to be seen whether the SamSam attacks will stop.

FBI and Industry Partnership Disrupt Massive Ad Fraud Botnet

The FBI in collaboration with Google, White Ops and many cybersecurity firms, internet infrastructure providers and large internet companies, has managed to disrupt a massive advertising fraud operation.

The operation, dubbed 3ve (pronounced Eve), was one of the most complex ones seen to date and controlled more than 1 million IP addresses from residential botnet infections and corporate networks, primarily from North America and Europe.

The operation was split into smaller parts that ran independent ad fraud schemes and its infrastructure comprised of thousands of servers spread across many data centers. Investigating 3ve was a cross-industry collaborative effort that spanned a year.

On Nov. 27, the U.S. Department of Justice indicted eight defendants in connection with the ad fraud scheme. Three of them were arrested in Malaysia, Bulgaria and Estonia and await extradition.

The attackers used the Boaxxe/Miuref and Kovter malware programs, as well as Border Gateway Protocol (BGP) hijacking to gain control over unique IP addresses. They then created fake websites with premium ads and used the IPs under their control to generate fake traffic on those pages in order to earn advertising revenue.

US-CERT has published a technical alert on the 3ve operation and Google and White Ops issued a joint technical report.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin