US identifies and charges SamSam ransomware authors

In a wave of attacks spanning three years, the US government has charged the people behind it, but getting them in handcuffs won't be easy

29 Nov 2018

The US has identified and charged two Iranian men who it believes to be behind the SamSam ransomware attack that has run riot since 2015. The only issue is, US authorities don't have the jurisdiction to reprimand them at this time.

Believed currently to be in Tehran, the two men are out of US jurisdiction but the country's law enforcement is seeking alternative methods for their capture.

"Although the alleged criminal actors are in Iran and currently out of the reach of US law enforcement," the FBI said, the BBC reported, "they can be apprehended if they travel, and the United States is exploring other avenues of recourse."

"The allegations in the indictment unsealed today - the first of its kind - outline an Iran-based international computer hacking and extortion scheme that engaged in a 21st-Century digital blackmail," said US assistant attorney general Brian Benczkowski.

The ransomware attack is one of the most prevalent of its type in recent years, making headlines by holding up high-profile targets to their demands. American cities such as Atlanta, Indiana and New Mexico have been hit hard in particular, a hospital in Indiana was reduced to working by pen and paper earlier this year after their systems were hit by the attack. In 2016, a hospital in Hollywood was also forced to turn patients away and ultimately complied with the ransom demands and paid $17,000 in bitcoin.

It was misery in March 2018 for Atlanta which suffered a crippling attack on government systems. Five out of the 13 major government departments were reduced to pen and paper, including law enforcement who also lost a number of police records in the process. City council officials were resigned to sharing one clunky personal laptop between three, Reuters reports. How did they get access to so many systems? One researcher took to Twitter to highlight a glaring error.

C'mon @Cityofatlanta... SMBv1 open on web.atlantaga[.]gov to the internet? Have we learned nothing!?#ransomware #Atlanta pic.twitter.com/t35SalTcEE
— 🆁🅴🅶🅶🅸🅴 (@Ring0x0) March 23, 2018

When greeted with the splash page after the system has been infected, users are met with a lot of 'sorry' messages, presumably peppered to illicit a feeling of honesty, that the authors of the ransomware will actually pay up, which isn't generally advised.

The cost of the ransom increased exponentially as the years went by. At the start, the victim had two options, to pay 0.8 bitcoin for each infected PC or pay 4.5 bitcoin to get the decryption keys to all infected system's files. It later rose to 1.7 bitcoin for each system or 12 bitcoin for all, 40,000 in today's money. It's difficult to believe how long the SamSam project ran on, continually finding vulnerabilities that weren't properly patched.

It's reported to have made the authors hundreds of thousands of dollars; the US Treasury has also identified and is seeking capture of two Iranian men who helped convert the bitcoin into Iranian currency, the rial, after monitoring bitcoin wallet addresses associated with the outfit.