US Charges Iranian Hackers For SamSam Cyberattack


The United States has indicted two Iranians for launching a major cyberattack using the ransomware “SamSam.”

According to Reuters, the six-count indictment charged Iran-based Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with one count of conspiracy to commit wire fraud and one count of conspiracy to commit fraud related to computers, as well as additional counts for intentionally damaging protected computers and illegally transmitting demands related to protected computers.

In addition, the Treasury Department sanctioned Ali Khorashadizadeh and Mohammad Ghorbaniyan for exchanging digital ransomware payments into rials.

“The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski.

Last year, the FBI revealed that SamSam ransomware attacks were on the rise — and the attackers were getting more demanding.

Written in C#, the malware goes after a particular unpatched server vulnerability — and according to experts, the hackers behind it are still learning the extortion game.

“MSIL or Samas.A (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application,” the FBI says. “SamSam exploits vulnerable Java-based Web servers. SamSam uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory.”

“The actors then use PsExec.exe to distribute the malware to each host on the network and encrypt most of the files on the system,” the FBI added. “The actors charge varying amounts in bitcoin to provide the decryption keys to the victim.”

An NYC hospital, for example, was extorted to pay $44,000 to SamSam operators or lose access to its systems after a successful infection. The hospital, incidentally, said no — and endured a month of disruption before the hospital’s systems were restored.