US charges Iranian ‘SamSam’ hackers Dave Lee

North America technology reporter Published duration 29 November 2018

image copyright FBI image caption The accused are currently believed to be in Tehran

The hacking attack was said to have lasted for 34 months, holding schools, hospitals, universities in several countries to ransom - earning the perpetrators millions of dollars in the process.

Now US prosecutors have charged two Iranians they believe were behind the attack - though justice is perhaps unlikely.

“Although the alleged criminal actors are in Iran and currently out of the reach of US law enforcement,” the FBI said, “they can be apprehended if they travel, and the United States is exploring other avenues of recourse.”

They are accused of carrying out a ransomware attack - malicious software that locks files and systems and demands a fee to unlock them.

“The allegations in the indictment unsealed today - the first of its kind - outline an Iran-based international computer hacking and extortion scheme that engaged in a 21st-Century digital blackmail,” said US assistant attorney general Brian Benczkowski on Wednesday.

Additionally, two other Iranians were sanctioned by the US Treasury for facilitating the exchange of Bitcoin into Iran’s currency, the rial.

'Take control'

The scheme is said to have cost around 230 victims more than $30m (£23m) as they struggled to work around the shutdown of their systems. Court documents named 12, including a Hollywood hospital that had to turn away patients in early 2016

Elsewhere in the US, the city of Atlanta saw five different government departments infected with the ransomware, known as SamSam. It meant residents were unable to pay utility bills, and police officers reverted to paper-based reports.

There were other victims in the UK and Canada, the FBI said.

media caption Technology explained: what is ransomware?

“To execute the SamSam ransomware attack, cyber actors exploit computer network vulnerabilities to gain access and copy the SamSam ransomware into the network.

“Once in the network, these cyber actors use the SamSam ransomware to gain administrator rights that allow them to take control of a victim’s servers and files, without the victim’s authorisation.

“The cyber actors then demand a ransom be paid in bitcoin in order for a victim to regain access and control of its own network.”

The FBI said two men - Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri - were responsible for deploying the ransomware which, although notable for its impact, was considered by security experts to be unremarkable in its design.

As is often the case with ransomware attacks, the efficacy was more likely strengthened by poorly maintained, out-of-date computer systems, rather than the sophistication or determination of the attackers.

New sanctions

Perhaps more significant in this case is the US Treasury’s decision to impose sanctions on two more men - Ali Khorashadizadeh and Mohammad Ghorbaniyan - who were said to have helped the criminals convert the ransom money, which was paid in digital currency Bitcoin, into “real” money - the Iranian rial.

The Treasury’s Office of Foreign Assets Control specified two accounts used to send and receive funds - known as Bitcoin wallets - that it said were associated with the accused.

It means if a Bitcoin trading platform facilitates a transaction to either account, it could face severe penalties, including being blocked from operating in the US.

The Treasury said it was the first time it had marked specific digital currency as being linked to sanctioned individuals. Due to the nature of digital currency, however, the accused could of course avoid the restrictions by simply using a different wallet not yet known to authorities.________

Follow Dave Lee on Twitter @DaveLeeBBC

Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370