Does this look like the face of a hacker to you? Is this who you were expecting to be one of the alleged creators of SamSam ransomware?
The FBI just put his photo (and the name of a hacker colleague) onto a wanted poster. And the U.S. Department of Justice indicted the two Iranian men for creating and executing their SamSam ransomware to make the equivalent of $6 million in profits from victims in the U.S and Canada.
Our SecureWorld team took some time to read the indictment, and as it turns out, the indictment reveals a series of strategies used by the hackers.
These "hacker best practices" take us inside the playbook of cybercriminals so IT security leaders and cybersecurity teams can better understand their adversary. Let's take a look.
Hacker strategies revealed in ransomware indictment
Here are some key points in the ransomware playbook revealed by the hacker indictment:
- Network Scanning and Research for Weeks: "Savandi and Mansouri would also use sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities) and conduct online research in order to select and target potential victims."
- Hiding Malicious Intent: "... the defendants would also disguise their attacks to appear like legitimate network activity." This refers to the placing of the malware on as many computers within a network as possible, without detection.
- Attacking When IT Security Was Out or Reduced: "The defendants maximized the damage caused to victims by launching attacks outside regular business hours, when a victim would find it more difficult to mitigate the attack."
[Related: Hackers Like to Hit on Holidays] - Ruining Backups: "... encrypting backups of the victims’ computers."
- Continuous SamSam Updates: "Savandi and Mansouri created the first version of the SamSam Ransomware in December 2015, and created further refined versions in June and October 2017.... For instance, Defendants added more sophisticated encryption to the SamSam Ransomware to make it more difficult to analyze."
- Personalized Web Page for Each Victim, Through Tor: "Defendants used the Ransom Webpages to communicate with Victims, arrange for payment, and provide decryption keys to Victims that paid the ransom. To spur prompt payment, the Ransom Webpages often included a threatening timer clock after which a Victim's decryption keys would be deleted."
SamSam ransomware attacks may continue
As long as the SamSam creators stay in Iran, they are out of reach of U.S. law. So why take the time to indict them? This effort and recent cybercrime indictments against Chinese and Russian nationals are a part of 5 Changes to the U.S. Cyber Stance and a Warning to Digital Foes.
The Department of Justice says these hackers launched their most recent known SamSam ransomware attack on September 28, 2018. It is impossible to know when they will strike next.
At least security teams now have a few pages from their hacker playbook, thanks to the indictiment.
[Related SecureWorld web conference, available on-demand: Ransomware: The Not-So Good, Really Bad, and Truly Ugly]