Two Iranian hackers accused of developing and deploying the SamSam ransomware arrested

• SamSam ransomware infected over 20 targets across the globe.
• Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, have been indicted by the US DoJ.

The US DoJ indicted two Iranian cybercriminals for developing and deploying SamSam ransomware. Since December 2015, SamSam has infected over 200 targets across the globe, including the City of Atlanta, Georgia; the City of Newark, New Jersey; the Port of San Diego, California; the Colorado Department of Transportation and more.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of who hail from Iran, are believed to have raked in over $6 million in ransom and caused damages worth around $30 million.

“The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” Assistant Attorney General Benczkowski said in a statement. “These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them.”

According to the DoJ’s indictment, Savandi and Mansouri employed the services of other Iran-based Bitcoin exchangers while carrying out their operation. The hackers used network infrastructure located overseas and also conducted extensive research to select their victims. The duo is not believed to have any ties to the Iranian government, despite a recent uptick in state-sponsored attacks.

“SamSam ransomware is a dangerous escalation in cybercrime,” said US Attorney Craig Carpenito at a Wednesday press conference announcing the charges, Wired reported. “This is a new type of cybercriminal. Money is not their sole objective.”

“The criminals believed they were masking their identities on the dark web. However, this case shows that anonymizers may not make you as anonymous as you think you are. They used bitcoin to avoid detection, but this case shows that the digital currency can be traceable,” said FBI executive assistant director Amy Hess at a press conference Wednesday.

Unlike other ransomware variants, which are usually propagated via phishing or other social engineering techniques, SamSam spreads using vulnerabilities or weak authentication. In other words, the cybercriminals need no interaction from the victim to propagate.

It remains to be seen whether the indictment of the two Iranian hackers will result in reducing SamSam ransomware infections. Although previous arrests have seen malware attacks slowing down or ending, that is not always the case.