The Men Who Never Were: Assessing Ties Between the Samsam Ransomware Campaign and the IRGC presented at BSidesAtlanta 2020

by Charlie Cullen,


Summary : On November 28th, 2018, the U.S. Justice Department indicted two Iranian nationals for their role in developing and deploying the Samsam ransomware over a 3-year campaign netting over $6 million. Up until now, little reporting or information exists about the origins of these actors nor the motivations behind their attacks. However, research into their backgrounds revealed them to be seasoned threat actors with deep ties to Iran’s national security establishment including personal ties to the Islamic Revolutionary Guard Corps (IRGC) and IRGC-affiliated actors also indicted for their role in disruptive cyber attacks against the U.S.This presentation will trace the origins of these individuals, their ties to other threat actors, and use of tools, previously employed in disruptive attacks, during the Samsam campaign. It will feature an in-depth review of investigative practices used to trace back the operators’ past activities despite high levels of operational security. Their own commentary on participating in Samsam, military ties, and ideological backgrounds will also be examined in light of what was ostensibly a financially-motivated campaign. Ultimately, this talk also seeks to highlight how deep-dive research into individual actors’ past activities can help unearth involvement in emerging threats.