The US Department of Justice has charged two Iranian nationals with computer hacking offences in connection with the global SamSam ransomware outbreak.
A particularly destructive form of file-locking malware, SamSam has terrorised organisations around the globe, with a particular focus on the United States. According to the indictment, SamSam ransomware affected more than 200 victims across the US, including hospitals, city governments, and other organisations.
Some of the most high-profile victims included the City of Atlanta, the Hollywood Presbyterian Medical Center in Los Angeles and the Port of San Diego. In some cases, victims of SamSam paid the attackers over $50,000 in bitcoin in exchange for regaining access to their network.
The campaign was lucrative for its authors, with the indictment describing how those behind the scheme have netted over $6m in ransom payments -- a figure reported by researchers in July -- and caused over $30m in damage.
A federal grand jury has charged 34-year old Faramarz Shahi Savandi and 27-year old Mohammad Mehdi Shah Mansouri -- both Iranian nationals -- with the creation of SamSam ransomware.
It's alleged that the two men created the first version of SamSam ransomware in December 2015, before going onto build refined versions in June and October 2017. It's said that they utilized overseas computer infrastructure to help carry out attacks, as well as using "sophisticated online reconnaissance techniques" to scope out potential targets.
Often, computers became infected via remote desktop protocol being compromised, either by brute force attacks or using credentials purchased on the dark web.
"The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private entities hostage and then extort money from them," said US Attorney Carpenito.
"The charges announced today show that the US Attorney's Office for the District of New Jersey will continue to act to disrupt such criminal acts, and identify those who are responsible for them, no matter where in the world they may seek to hide."
Each of the defendants has been charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.
"This indictment demonstrates the FBI's continuous commitment to unmasking malicious actors behind the world's most egregious cyber attacks," said FBI executive assistant director Amy Hess.
"The actions highlighted today, which represent a continuing trend of cyber criminal activity emanating from Iran, were particularly threatening, as they targeted public safety institutions, including U.S. hospital systems and governmental entities," she added.
The case was investigated by a number of law enforcement agencies, including the FBI, the National Crime Agency and the West Yorkshire Police in the UK, as well as Calgary Police Service and the Royal Canadian Mounted Police.
It's highly unlikely the two suspects will travel to the US to face questioning, but the indictment follows the recent trend of the US naming and shaming those suspected of conducting cyber attacks.
In recent months, the Department of Justice has charged Russian military intelligence officers with international hacking offences as well as charging a North Korean programmer for the WannaCry ransomware outbreak and other hacking campaigns.
"The FBI, with the assistance of our private sector and U.S. government partners, are sending a strong message that we will work together to investigate and hold all criminals accountable," said Hess.
READ MORE ON CYBER CRIME
- Ransomware: Not dead, just getting a lot sneakier
- Atlanta ransomware attack hit 'mission critical' systems [CNET]
- Iranian hackers target 70 universities worldwide to steal research
- Ransomware: A cheat sheet for professionals [TechRepublic]
- WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?