One of the Big Four auditing companies PricewaterhouseCoopers, widely referred to as PwC, has revealed through its exclusive bulletin the connection between two Iranian nationals and the digital currency exchange platform WEX (known as BTC-e until September of 2017). The Iranians involved here are Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi who have founded the ransomware SamSam.
The ransomware has made enough buzz in recent times due to its demands of bitcoins. The scam is said to have damaged over 200 entities including the US corporations, government firms, hospitals, as well as universities. In fact, during the timeline of 34 months, hackers have extorted about 6 million dollars in Bitcoin in addition to causing losses of more than 30 million dollars globally.
The United States Department of Justice had also issued thorough details last year in September about this havoc caused by SamSam all around Canada and the US.
PwC in its report has recognized BTC-e for supposedly playing a vital role in laundering about 4 billion dollars. The company has further reported the exchange platform’s involvement in exchanging a minimum of 1.9 million dollars in connection to SamSam. As per PwC, BTC-e is responsible for cashing out 95 percent of all ransomware payments that were made, starting from 2014 till 2017. Out of this, $1.9 million has come from the ransomware SamSam.
Decoding the Ransomware SamSam
The 6-count charge against the Iranian duo alleges that both of them had a sole aim of dynamically encrypting the data on their victims’ computers for which they formed the roots of SamSam in December of 2015.
The duo first identified the system vulnerabilities after which they broke into the machine for installation and execution of SamSam. Post that, Mansouri and Savandi would demand ransom in bitcoins from the victims to regrant them the system access and to unlock their data. Once they received the ransom, the duo would go on to exchange the same into the local Iranian currency through Iranian digital exchange platforms.
To fuel the ransomware campaign further, Mansouri and Savandi issued SamSam’s “refined versions” in June as well as October 2017 to cause more harm. The campaign garnered global recognition as an international computer extortion and hacking scheme with its basis in Iran.
The Roots of BTC-e and WEX
WEX is a digital currency exchange platform emerged in 2017. The exchange platform was started in the short duration after the Greek and US officials arrested BTC-e’s supposed co-founder and admin from Russia and shut the exchange down.
The platform is thought to be at the center of the money laundering done about the digital currency. In fact, BTC-e was actually the oldest digital currency exchange of Russia.
Although WEX declares that it doesn’t have anything to do with BTC-e, the design of its website coupled with its trading sets are very much similar to that of the latter. In fact, after the shutdown of BTC-e, WEX also supported migration of BTC-e’s previous userbase, as per the reports of PwC.
Two More Iranians Involved
The OFAC (Office of Foreign Assets Control) of the United States Department of Treasury took action against two more Iranians namely Ali Khorashadizadeh and Mohammad Ghorbaniyan for being the key bitcoin launderers to the ransomware hackers. They were the ones reportedly operating digital exchange platforms in Iran which helped the SamSam founder-duo in exchanging the extorted BTC easily. After conducting a thorough analysis of the evidence such as emails and wallet addresses, PwC was able to link WEX to Khorashadizadeh and Ghorbaniyan.
PwC did the analysis and also implied the fact that threat actors preferred to use those crypto exchanges which were relatively lesser known. That’s because the popular platforms incorporate a mechanism to identify illegal activities.
The digital asset researchers have discovered through their research that countries that have minimal to zero rules to reduce crypto money laundering got 36 times increased BTC from groups having criminal connections than the countries with adequate regulations. The report further advises people not to make such ransom payments if there is no life threat involved.