28 November 2018
American prosecutors have announced criminal charges against two Iranian nationals accused of carrying out a ransomware campaign which affected hundreds of networks worldwide, following an investigation involving the FBI and the UK’s National Crime Agency.
The two men, Mohammad Mehdi Shah Mansouri, aged 27, and Faramarz Shahi Savandi, 34, are alleged to have infected over 200 victims, largely in the US and Canada, with the SamSam ransomware virus.
Among those affected were healthcare providers, public transportation bodies, shipping and local government services.
Since the beginning of their campaign in December 2015 they are believed to have taken over US$6m in victim payments, laundering the money through bitcoin exchanges. Two such exchanges now face sanctions from the US Treasury.
The men are accused of using either brute force attacks or stolen login credentials to place malware onto the servers, the seemingly legitimate login to the network making the malware far more difficult to detect. Some of the stolen login details were bought on darknet marketplaces.
Once infected, users would find their computer encrypted, receiving a note instructing them to make bitcoin payments through a Tor hidden site. After paying, they would receive cryptographic tools to decrypt their network.
Both men are now wanted by the US authorities.
Mark Stirling, from the NCA’s National Cyber Crime Unit said:
“NCA investigators working with our US colleagues were able to determine that this crime group used UK infrastructure to carry out some of their criminality.
“Because of that we were able to providing the US with digital forensic evidence that was crucial to these charges being laid and the identification of those accused of running the SamSam ransomware campaign.
“It demonstrates once again that this form of crime does not recognise international borders, so it takes an international law enforcement response to bring the perpetrators to justice.”