The Justice Department has indicted two Iranian men behind the SamSam ransomware attacks – that infected the cities of Atlanta, San Diego and Newark, N.J. – as well as two others who converted the ransom into Iranian riyals.

Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, “extorted victims by leaving a ransom note in the form of a file on each computer encrypted by SamSam Ransomware,” read the indictment, unsealed Wednesday a U.S. District Court in New Jersey. “Each victim’s ransom note told the Victim that its files were encrypted, told the victim that it would have to pay Bitcoin to get the decryption keys.”

A SamSam attack crippled a number of systems and services in Atlanta in March and the Port of San Diego in September.

The ransomware cut a relatively wide swath across the world with at least 67 different targets, 54 in the U.S., being struck in 2018, according to a Symantec report.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rod Rosenstein said in a release.  “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

Symantec researchers noted that despite such high-profile incidences such as Atlanta, San Diego and the Colorado Department of Transportation, the majority of victims, 24 percent, were in the healthcare field. The focus on healthcare may be due to the attacker’s impression that these will be easier targets, they cybergang behind SamSam does show a preference for easy hits, or that they are more likely to fork over the ransom.

SamSam proved to be a thorny challenge for security teams. It is atypical of ransomware attacks in that its entire attack process is manual, Peter MacKenzie, global malware escalations manager working in Sophos Technical Support, told SC Media during the Black Hat 2018 show in Las Vegas.

Grammatical errors were a clue that the attackers likely didn’t speak English as a first language, the attacks didn’t rely on the typical badly worded spam email with an attachment. 

Instead, the attacks were old school, using “tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit,” Sophos said in a report.

Once in, attackers spread the “payload laterally across the network; a sleeper cell that lays in wait for instructions to begin encrypting,” Sophos said.

Because SamSam encrypts document files, images, and other personal or work data, as well as “configuration and data files required to run applications (e.g., Microsoft Office),” Sophos said “victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it first.”

Once the attackers received the ransom, two Bitcoin exchangers, identified by the Treasury Department as Ali Khorashadizadeh and Mohammad Ghorbaniyan, turned it into Iranian riyals.

The department’s Office of Foreign Assets Control (OFAC) identified two digital currency addresses associated with the two and through which more than 7,000 bitcoin transactions – some of them related to SamSam – were processed, the Treasury Department said. 

“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims.  As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes,” Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker said in the release.  “We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”