The Stack Archive News Article

Two Iranians indicted for SamSam ransomware attacks

Thu 29 Nov 2018

The FBI has identified two of the perpetrators responsible for long-running cybercrime that crippled hospitals, government agencies and institutions in US and Canada

According to the FBI, Iranian residents Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were two of the culprits behind the notorious ransomware attacks that infected more than 230 entities and caused $30 billion in damages. The duo also raked in $6 million from ransom payments extorted.

Both men have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

Nowhere to hide

FBI Executive Assistant Director Amy Hess had an ominous warning for cybercriminals around the world:

“Regardless of where a criminal resides, we will pursue. We will make travelling, business relations, and networking painful for those who commit these acts. We will stay on the case, and we will catch them when they slip up,” she said.

In the 34-month long scheme, conducted from inside Iran, the masterminds hacked into victims’ computers and installed the SamSam ransomware, leaving data encrypted and business operations weakened.

Thinking bitcoin could provide ample cover, the men then demanded victims pay ransoms in the cryptocurrency in exchange for decryption keys.

It is becoming increasingly common for cybercriminals to use a combination of dark web refuge and bitcoin-based extortion – the assumption being that the combo sufficiently masks identities. But a triumphant Hess underscored that this approach may not be as foolproof as cybercrooks assume.

“This case shows that anonymisers may not make you as anonymous as you think you are. They used bitcoin to try to avoid detection, but this case shows that digital currency can be traceable.”


SamSam scrambles and encrypts documents of infected Windows machines. Beginning in December 2015 Savandi and Mansouri deployed various versions of the malware, attempting to maximise damage by encrypting backups. Over time, the duo added more sophisticated encryption to the ramsomware which made it more difficult to analyse.

Once deployed in a victim’s network, the pair launched a coordinated encryption attack disguised as legitimate network activity. Just to really add fuel to the fire, the attacks were normally launched outside regular business hours.

Data-less victims found themselves unable to carry out business operations, and most had no choice but to cough up bitcoin to retrieve decryption keys.

“To spur prompt payment, the ransom webpages often included a threatening timer clock after which a victim’s decryption keys would be deleted,” reads the indictment.

Caught out, but comfortably at large

Given that the US and Iran don’t exactly see eye to eye, the duo are unlikely to be handed over by the Iranian government anytime soon, if ever. The FBI’s press conference and online statements were noticeably short on detail about the putative extradition process (the US does not currently have an extradition treaty with Iran).

Deputy Attorney Gen. Rod Rosenstein however was optimistic that the Iranians would eventually find their way into an American prison.

“American justice has a long arm and we will wait and eventually, we are confident that we will take these perpetrators into custody,” he said.


cyberattack cybercrime iran malware ransomware US
Send us a correction about this article Send us a news tip