The U.S. Department of Justice has released an update on the investigation of the threat actors behind the SamSam ransomware attacks. SamSam ransomware is a custom infection used in targeted attacks against the healthcare industry in recent years. The malware was brought to the forefront of public attention when it was used to crippled the City of Atlanta in an attempt to extort tens of thousands of dollars from the local government earlier this year. The clear-up costs of the attack on the City of Atlanta are expected to be in excess of $10 million.
In collaboration with the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, the DOJ have identified two individuals operating out of Iran who are believed to be behind the SamSam ransomware attacks.
Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been indicted on four charges:
- Conspiracy to commit fraud and related computer activity
- Conspiracy to commit wire fraud
- Intentional damage to a protected computer
- Transmitting a demand in relation to damaging a protected computer
The DOJ notes that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. With the huge increase in cybercriminals using ransomware in extortion attempts, it is unlikely to be the last. Ransomware is often easily available on the “dark web”, and once cybercriminals pick an appropriate target, it is a potentially lucrative endeavour. The healthcare industry is a common target for cybercriminals, due to the high black-market value of healthcare data and the often poor state of the cybersecurity infrastructure present in under-funded healthcare facilities.
The SamSam ransomware attacks were unusual in that the group conducts targeted, manual attacks on organizations. Most ransomware gangs use spam email and other mass distribution techniques to infect as many individuals as possible. It is thought that more sophisticated, targeted, attacks would make a scam more believable and therefore increases the chances of success.
The SamSam ransomware group exploits vulnerabilities and conducts brute force remote desktop protocol (RDP) attacks to gain access to systems, then investigates networks and moves laterally before manually deploying ransomware on as many computers as possible.
This method of attack allows the threat actors to inflict large amounts of damage in comparison to more “traditional” attacks. With a large percentage of an organization’s computers and systems taken out of action, the gang can issue large ransom demands. The ransoms demanded are typically in the range of $5,000 to $50,000, with the amount based on the number of devices that have been encrypted.
Approximately $6,000,000 in ransom payments have been collected from around 200 victims in the two years that the cybercriminal gang has been active. Many victims chose not to pay the ransom demands but still incurred significant costs mitigating the attacks. The DOJ estimates that in addition to the ransom payments, additional losses from downtime due to the attacks has exceed $30 million.
In addition to the infamous attack on the City of Atlanta, the gang has targeted the cities of Newark and New Jersey, the Colorado Department of Transportation, and the Port of San Diego. Healthcare industry victims include Hancock Health, Adams Memorial Hospital, Kansas Heart Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, Nebraska Orthopedic Hospital, LabCorp of America, Allscripts, and MedStar Health.
Research by Sophos, a British security company, indicates 26% of attacks were on the healthcare organizations, 13% were on government agencies, 11% were on educational institutions, and 50% were on private companies. The attacks have primarily been conducted on organizations in the United States, with other victims spread across Canada, the UK, and the Middle East.
The DOJ said the SamSam ransomware gang “engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”
In a press release announcing the indictment, the DOJ stated: “This indictment highlight[s] the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks.”