The U.S. Department of Justice recently announced the indictment of two Iranian nationals linked to the infamous SamSam ransomware attacks. This enforcement action underscores the ongoing threat posed by cybercriminals targeting crucial sectors within the United States.
Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, face multiple charges, as detailed in an indictment unsealed in New Jersey. They are accused of deploying SamSam ransomware to extort over $6 million in ransom payments since its inception in 2015, while also causing damages exceeding $30 million across 200 organizations, including hospitals, municipalities, and public institutions.
The indictment highlights that Savandi and Shah implemented targeted manual attacks rather than using automated distribution methods commonly associated with ransomware. This indicates a sophisticated approach, utilizing techniques such as exploiting known vulnerabilities in server software and brute-force attacks against Remote Desktop Protocol (RDP) services. These tactics align with MITRE ATT&CK framework methodologies, particularly Initial Access through exploiting known vulnerabilities and Credential Dumping for credential theft.
While both hackers remain at large in Iran, which has no extradition treaty with the United States, their names have been added to the FBI’s list of most-wanted cybercriminals. As the indictment reveals, the duo first launched their ransomware in December 2015, and have since refined their methods, creating variants to maximize damage by encrypting not just operational data but also targeted backups.
Documents from the indictment indicate that the attackers utilized European virtual private servers to obscure their identities while infiltrating victim networks. This highlights an advanced operational security mindset typical of adversaries engaged in cybercrime, using techniques consistent with MITRE ATT&CK’s tactics of Defense Evasion.
Among the victims of SamSam ransomware are notable organizations like the City of Atlanta and the Colorado Department of Transportation. The infiltration of such significant entities raises alarms about the vulnerabilities present in public infrastructure. After refusing to pay the ransom, the City of Atlanta incurred recovery costs estimated at $17 million—a stark reminder of the potential financial impact of such attacks.
In an alarming trend, SamSam’s ransom demands frequently exceed $50,000, showcasing a lucrative business model for these criminals. This underscores the evolving landscape of ransomware, as evidenced by the higher-than-usual ransom figures, which position SamSam as the largest paid ransomware variant. This is evidenced by an individual victim paying as much as $64,000 to regain access to their data.
As business owners and cybersecurity professionals navigate these treacherous waters, awareness of the tactics and techniques used by cyber adversaries becomes imperative. While the indictment serves as a spotlight on the actions of these specific individuals, it also illustrates the broader vulnerabilities organizations face from sophisticated and economically driven cyber threats. The ongoing investigation and governmental response serve as reminders of the need for vigilance and robust cybersecurity measures as we move forward.
For organizations looking to enhance their defenses against ransomware and similar cyber threats, understanding the tactics detailed in the MITRE ATT&CK framework can provide critical insights into the adversarial landscape. Staying informed about the evolving tactics employed by cybercriminals is essential for mitigating risk and safeguarding sensitive data.
