We’re sure you know what ransomware is by now.
ICYMI, ransomware is malicious software that scrambles your files with a randomly generated cryptographic key…
…and then sends the one and only copy of that decryption key to the crooks.
Who promptly offer to sell it back to you so that you can unlock your data and get your business moving again.
Instead of using mass spamming techniques to blast their malware to millions of recipients in the hope of collecting thousands of dollars each from thousands of victims scattered all over the world, the SamSammers used a more pin-point approach.
They identified lists of networks where they knew there was a security hole, such as a remote access portal with a guessable password, and picked just one network at a time to attack.
By scrambling hundreds of computers in a single network at the same time – often, ironically, by employing the same sort of sysadmin techniques that a legitimate IT staffer might use to distribute a genuine software update – the crooks generally ended up in a very strong position from which to extort money.
“All-you-can-eat buffet” pricing
Indeed, their extortion demands reflected the power they wielded – they generally “offered” a “price” of about $8000 per computer…
…or $50,000 for what you might call the “all-you-can-eat buffet” option, offering what was effectively a network-wide licence to decrypt all your computers for one lump sum.
You can probably imagine getting by for a few days with 5% or even 10% of your network out of action, but not if 50% of more of all your laptops and servers are frozen and unusable.
And that’s what the SamSammers were banking on: a situation where some organisations had little choice but to pay up.
The biter bit
Well, justice, of a sort, is in the process of being served.
The FBI claims to have identified two of the perpetrators of this long-running cybercrime, publicly naming them as Mohammad Mehdi Shah Mansour (27) and Faramarz Shahi Savandi (34), both allegedly resident in Tehran, the capital of Iran.
- Conspiracy to commit fraud and related activity in connection with computers.
- Conspiracy to commit wire fraud.
- Intentional damage to a protected computer.
- Transmitting a demand in relation to damaging a protected computer.
Additionally, the US Department of the Treasury has publicly identified two other Iranians, Ali Khorashadizadeh and Mohammad Ghorbaniyan, whom the Treasury accuses of helping Mansour and Savandi to convert their extortion “earnings” – paid in Bitcoin by their victims – into Iranian currency.
What happens next?
If the defendants are, indeed, in Iran, it seems unlikely – at least in the current political climate – that they will ever be sent for trial in or by the United States.
That doesn’t mean they’re home free, of course – if they’ve made as much money as we suspect, they might fall foul of any number of rules and regulations in Iran, so for all we know they might face investigation on home soil.
Anyway, even if this revelation serves to scare the SamSammers into inactivity, there’s still plenty of cybercrime about, and plenty of other ransomware (and ransomware gangs) to take over where the SamSam crew left off.
So don’t let this announcement lull you into a false sense of security – the history of ransomware is full of stories about new strains that took over when existing ransomware groups were taken down.
Fortunately, the same advice that we gave to help to protect you from SamSam will help you against ransomware – and cybercrime – in general, so please revisit it now!
We also urge you to read the SophosLabs 2019 Threat Report, in which we analyse the state of play in cybercrime today, including a section on ransomware in general and SamSam in particular.