Big four accountancy group PricewaterhouseCoopers (PwC) has issued a special bulletin connecting the Iranian nationals behind notorious SamSam ransomware and the incredibly infamous cryptocurrency exchange WEX (formerly BTC-e).
The report alleges SamSam creators Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri used the WEX exchange service to launder sizable chunks of the $6 million in Bitcoin BTC generated throughout their 34-month-long international hacking and extortion spree.
“We identified this Iranian money laundering operation as having links with currency exchange WEX (previously known as BTC-e),” declared PwC. “WEX is most notably known for its alleged involvement in laundering of some $4 billion, transferring of funds to facilitate operations of the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95 percent of all ransomware payments made since 2014.”
Last September, the US Department of Justice published full details of the SamSam ransomware campaign, which was found to have caused more than $30 million worth of damages across the US and Canada.
More than 200 victims were hit, including hospitals, public institutions, and municipalities.
What was the SamSam ransomware?
The six-count indictment against Savandi and Mansouri alleges that they, while acting from inside Iran, created SamSam in December 2015 with the primary goal of forcibly encrypting data on the computers of their victims.
The pair accessed targeted machines through various security vulnerabilities, which would allow them to install and execute SamSam directly.
Savandi and Mansouri would then extort victims by demanding a Bitcoin ransom for unlocking the data and returning access. Once the payments were collected, the attackers would exchange the Bitcoin into their local currency, primarily through cryptocurrency exchanges based in Iran.
The duo were noted to have further released “refined versions” of SamSam in June and October of 2017.
Their campaign was described as “an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail.”
What is WEX/BTC-e?
WEX (formally known as BTC-e) is an online currency exchange desk that came about in 2017. It was opened shortly after US and Greek authorities closed BTC-e by arresting its Russian-borne administrator and suspected co-founder.
BTC-e is understood to have been a hotspot for cryptocurrency-related money laundering. It was actually Russia’s oldest cryptocurrency exchange, and more than $4 billion is believed to have been laundered through it from 2014 to 2017, including Bitcoins related to the Mt. Gox saga.
Impressively, 95-percent of all ransomware payments made between 2014 and 2017 is believed to have been laundered through BTC-e. Approximately $1.9 million in Bitcoin ransoms generated by SamSam is understood to have been “cashed out” through BTC-e.
“WEX claims to be unrelated to BTC-e but its website design and trading pairs are almost identical, and it migrated over all the exchange‘s former users after BTC-e was shut down,” wrote PwC.
The WEX connection
Leveraging information published by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), PwC was able to link the SamSam duo to the WEX cryptocurrency exchange.
In particular, the report lists individuals previously named by OFAC as primary Bitcoin launderers for the SamSam hackers. PwC ties Mohammad Ghorbaniyan and Ali Khorashadizadeh to services associated with WEX, as well as a secondary exchange in Slovakia.
In fact, Mohammad Ghorbaniyan is named as the sole contact for a website known as enexchanger[.]com. The listed trading pairs on “enexchanger” include ridiculously sketchy “currencies” like WebMoney and Perfect Money.
“One of the cryptocurrency swaps offered is WEX-code to USD, which is a code that allows transferring of funds directly from wex[.]nz (WEX) users,” PwC’s report declared. “Both criminal and nation state threat actors are associated with the currency exchange BTC-e/WEX.”
PwC also noted that the use of Iran and Slovakia-based exchanges indicates threat actors favor using “lesser-known” currency exchanges to launder dirty cryptocurrency, as more popular exchanges tend to have compliance programs to detect illicit activities.
Indeed, cryptocurrency researchers found that exchanges in countries with little-to-no rules in place to curtail digital money laundering received 36 times more Bitcoin from criminally-linked groups than those that had reasonable regulations in place.
The report also urges the public to never make payments to ransomers unless they have made a threat to life.
“Paying a ransom is considered a poor practice because it encourages a threat actor to continue using ransomware and does not always guarantee that a decryption key will be provided. Furthermore, the paying of a ransom now has profound legal implications because this action could also violate US sanctions,” it concluded.
Update 15:55 UTC, March 7: Currently, the link to the full PwC security bulletin is unavailable. Hard Fork has reached out to PwC for comment, and will update this piece as we learn more.
Published March 4, 2019 — 17:20 UTC