According to a report by respected accountancy firm PricewaterhouseCoopers (PwC), the individuals behind the SamSam ransomware attack are connected to the controversial cryptocurrency exchange WEX (formerly BTC-e). The Iranian hacker group is believed to have used the platform to launder up to $6 million.
Two of the men identified by the US Department of Justice as being responsible for the SamSam ransomware are Haramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri. PwC identifies both having links to WEX. The SamSam attack of which details were published last September is believed to have cost a total of $30 million.
WEX Linked to “Cleanup” of Ransomware Funds
The PwC report states that criminals are increasingly favouring smaller cryptocurrency exchanges to launder money using Bitcoin or other digital currencies. It attributes this to heightened compliance of “know your customer” and anti-money laundering regulations at larger trading venues. It goes on to suggest that decentralised exchanges, such as those being launched by Binance and other firms, could be used by launderers to evade detection going forward.
One of the smaller exchanges favoured seems to be WEX. Two of the Iranian nationals linked to the SamSam ransomware attack that hit over 200 institutional targets to the tune of over $30 million are believed to have been connected with the exchange. The PwC write:
“We identified this Iranian money laundering operation as having links with currency exchange WEX (previously known as BTC-e)… WEX is most notably known for its alleged involvement in the threat actor tracked by PwC as Blue Athena, and being responsible for cashing out 95 percent of all ransomware payments made since 2014.”
Payment for the release of files encrypted by ransomware attacks like SamSam and WannaCry is often demanded in Bitcoin or another cryptocurrency. This, according to the PwC report is because it is much safer to transact discretely with thanks to its “inherent decentralised and anonymous qualities.”
Although WEX explicitly denies being connected to BTC-e, the two share almost identical layouts and the PwC report states that all the users accounts from BTC-e were transferred over to the WEX platform. BTC-e trading came to an abrupt halt in 2017 following the arrest of Alexander Vinnik, the site’s administrator is suspected of being involved in the laundering of around $4 billion.
The PwC states that it expects to see more examples of the Treasury’s Office of Foreign Assets Control publicly attributing digital currency addresses to individuals as it did with the Iranian nationals in this case. This, it admits, may force the criminals to alter tactics in response.
In concluding, the PwC offered the advice for those impacted by ransomware like SamSam to not pay the ransom. It states that payment merely encourages the attack since it proves its economic validity.