The RCMP and Calgary Police are credited by the U.S. Justice Department with being among the agencies that helped a 34-month long international investigation that led to a grand jury indictment Wednesday of two Iranian citizens for allegedly created and spread the SamSam ransomware.
The six-count indictment alleges that the two men were behind the malware that starting in December, 2015 victimized some 200 organizations and people including the University of Calgary; the city of Atlanta; the port of San Diego; the Colorado Department of Transportation; and six health care-related entities in the U.S.
In August security vendor Sophos estimated that 74 per cent of SamSam victims were in the U.S., eight per cent in the U.K., six per cent in Belgium and five per cent in Canada.
The indictment alleges that the accused — now on the FBI’s most wanted list — have collected over US$6 million in ransom payments to date, and caused over US$30 million USD in losses to victims. The most recent victim was stung Sept. 25th.
Involved in the investigation were the FBI, the RCMP, Calgary police, the U.K. National Crime Agency and Britain’s West Yorkshire Police.
The RCMP and Calgary police couldn’t be reached for comment on Wednesday evening.
The two men are charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer.
According to the indictment, the accused created the first version of the SamSam in December 2015, and refined it in 2017. The first victim was a business in Mercer County, followed by municipalities and hospitals. Pointing to the healthcare institutions the indictment says the accused were “cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick, and the injured without interruption.”
Typical for ransomware, Bitcoin was demanded in exchange for decryption keys. The indictment alleges computer infrastructure outside of Iran was also leveraged to commit the attacks.
Untypically for ransomware, which is often spread by spam, the accused used sophisticated online reconnaissance techniques, such as scanning for computer network vulnerabilities, and conduct online research in order to select and target potential victims, according to the indictment. Then the attacks were made to look like like legitimate network activity, often launching attacks outside regular business hours. The attacks often encrypted backups of the victims’ computers.
According to security vendor Sophos, those behind SamSam after finding weak points often brute-force Remote Desktop Protocol (RDP) passwords or unpatched holds in JBoss application servers to get into networks. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware. Other cybercriminals have taken note.
The indictment “goes to show that no amount of malicious code, covert operations and cryptocurrency puts a criminal beyond our ability to identify and bring forth charges for stealing and extorting money from innocent people,” said Chester Wisniewski, a Vancouver-based principal research scientist at Sophos. “By identifying the Bitcoin wallets associated with this criminal activity they [police] have essentially marked them as poison. Anyone who attempts to help launder those cryptocurrencies and assists in converting them to real money will be an accessory to the crimes alleged to have been committed.”
To make your organiztion less of a target Sophos says organizations have to install patches as soon as possible, lock down RDP, limit the number of users with full administrative access and block the use of scripting languages such as JavaScript and Powershell, and admin tools like PsExec unless they are needed.
