US Treasury Dept. Takes Action Against Two Iranians Allegedly Involved in BTC Ransomware

The U.S. Department of Treasury has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.

The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin (BTC) ransomware scheme SamSam, the Treasury reported in an official press release today, Nov. 28.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action on Wednesday against two Iranian individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who are accused of exchanging Bitcoin into Iranian rials (IRR).

This is also the first time that Bitcoin addresses have been publically attributed to “designated individuals” on the OFAC’s sanctions list.

According to the report, SamSam ransomware breaks into companies’ computer networks, allowing criminals to take over administrator rights in order to demand a ransom in Bitcoin in exchange for regained network access by users. The ransomware has reportedly damaged multiple companies, government agencies, universities, and hospitals, targeting more than 200 victims, the Treasury said.

OFEC has managed to identify two crypto addresses associated with the alleged Iran-based criminals, with 7,000 transactions in Bitcoin and around 6,000 BTC moved since 2013, the report states.

While Khorashadizadeh and Ghorbaniyan are allegedly responsible for the exchange of crypto and the deposits of rials into Iranian banks, the ransomware scheme also involved two Iranian players that acted as hackers and have been infecting multiple data networks with SamSam in the U.S., the United Kingdom, and Canada since 2015.

In August, U.K.-based science and technology magazine Wired UK reported that SamSam creators were making around $300,000 per month, and “nobody [could] work out who they are.” According to research provided by cybersecurity firm Sophos, SamSam has amassed about $6 million since apparently being launched in 2015.

According to Wired UK, SamSam did not perform anything “particularly sophisticated,” with no automation and implementing “old-school hacking.” The ransomware was reportedly managed manually, unlike the massive WannaCry ransomware that shut down hundreds of U.K. hospitals and GPs in 2017.