Ransomware Payments May Violate US Sanctions

Law enforcement agencies and security firms the world over constantly advice victims of ransomware not to make payment. Despite this well-meaning advice payments are still made. It is estimated that the authors of the SamSam ransomware netted nearly 6 million USD. If you made a payment to the crew behind SamSam you will want to read further as the payment made may violate US sanctions. Towards the end of November 2018, the American Department of Justice (DoJ) announced the first ever instance of an indictment against criminal actors for deploying a for-profit ransomware, hacking, and extortion scheme for the department. According to the indictment, Faramarz Shahi Savandi, and Mohammad Mehdi Shah Mansouri, both operating in Iran, authored and deployed the SamSam ransomware. The subsequent attack encrypted files on computers belonging to US hospitals, schools, companies, government agencies, and other entities.

Some notable victims included the City of Newark, New Jersey; the Colorado Department of Transportation; Nebraska Orthopedic Hospital; the City of Atlanta; LabCorp of America; MedStar Health; and the Port of San Diego.

ransomware payments US sanctions

On November 28, 2018, the indictment was unsealed in the District of New Jersey charges Savandi and Mansouri with:

  • conspiracy to commit fraud and related activity in connection with computers;
  • conspiracy to commit wire fraud;
  • intentional damage to a protected computer; and
  • transmitting a demand in relation to damaging a protected computer.

The DoJ was quick to provide examples of how the pair operated stating,

“For example, on May 28, 2016, the defendants allegedly accessed the network of Kansas Heart Hospital and deployed the SamSam Ransomware to encrypt the hospital’s computers. They then extorted the hospital by demanding a ransom payment in Bitcoin in exchange for the decryption keys for the compromised data. According to the indictment, the defendants conducted online searches concerning the hospital and accessed its website a few days before the attack.  This was just one alleged example of the defendants’ efforts to select and target their victims.”

As a result of the indictment, the two Iranian nationals are now considered by the DoJ to be fugitives from justice. However, the indictment may have further reaching effects rather than the imprisonment of two cyber criminals. Following shortly after the DoJ made their announcement the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments. This announcement represents the first time the department has made such moves against individuals profiting from cybercrime while not being the authors themselves.

Financial Facilitators Not Safe

In the announcement, OFAC announced that the cryptocurrency addresses are being attributed to Iran-based individuals named Ali Khorashadizadeh and Mohammad Ghorbaniyan whom the US government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses provided, 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C, contain a combined total of 5,901 bitcoins. Even with the knock, the cryptocurrency has taken in the markets recently that would place the combined balance been equivalent to nearly 23 million USD.

While the numbers make for intriguing reading the OFAC had one more ace up their sleeve. The department further added Khorashadizadeh and Ghorbaniyan to the Specially Designated Nationals and Blocked Persons List (SDN). This has the practical effect of blocking US companies and individuals from doing business or conducting any transactions with these individuals. This can also perceivably affect non-US businesses and individuals who conduct transactions with them due to secondary sanctions. Ultimately this means that those who are infected with ransomware and wish to pay the ransom must be extra careful not to send money to these bitcoin addresses. Such payments can result in the imposing of massive fines that will pale in comparison to the original ransom payment.

Ransomware Recovery Companies

It is not only individuals who are at risk of receiving a massive fine from a US department. Companies exist to help victims with ransomware negotiations, these companies now have an added level of complexity to deal with. Data recovery specialist will also be impacted as they too commonly deal with ransomware operators. CEO of Coveware Coveware CEO Bill Siegel told BleepingComputer,

“OFAC has made it clear that any U.S. business that sends cryptocurrency to wallet address, regardless of the reason, needs to check the OFAC list first. Paying for ransomware with cryptocurrency had previously been tacitly acknowledged as a necessity, despite the legal and regulatory opacity of the activity.  Treasury has officially taken the first steps towards setting a regulatory minimum standard of care for ransomware payments, and its a big step up.”

While Coveware has adopted a positive attitude to recent developments it is interesting to see how other companies who deal with ransomware operators often respond to these developments. One industry which has blossomed with the advent of ransomware are data recovery specialists. It has long been rumored that many companies offering these services are less than forthcoming with how they manage to decrypt encrypted files. Some have gone so far as to accuse many of these businesses of simply paying the ransom. It is assumed that such services operate by merely negotiating with the ransomware developers and simply paying the ransom on your behalf, this inevitably includes a bill for their time and “decrypting” services rendered.

Such business has already attracted the attention of law enforcement in the past. Those operating such businesses will certainly have to be far more careful moving forward from the indictment and subsequent announcement by US law enforcement departments.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal