Iran-based malware that demands a digital ransom in cryptocurrencies is on the rise and will further escalate in the present geopolitical climate, according to a report published by global management consulting firm Accenture on August 7.
After two years of analysis, Accenture Security iDefense predicts that emerging trends in the Iranian cyber threat landscape will intensify as the country is forced into a defensive and economically straitened position in the wake of the U.S. exit from the Obama-era Iran nuclear accord this spring.
With the US set to imminently to reimpose tough economic sanctions, Accenture has warned that the ransomware it has found “could have been created by government-backed actors or Iranian criminals, or both,” as the Wall Street Journal (WSJ) further reports.
Accenture has tracked five new types of ransomware — some of which demand “staggering” crypto ransoms — that its analysis has traced back to hackers in Iran based on samples that contain messages in Farsi as well as other clues pointing to Iranian computer systems.
“WannaSmile” —- a zCrypt variant that Accenture discovered in November 2017 — asks for a 20 Bitcoin (BTC) payment in a Farsi ransom note and also advertises local Iran-based payment processors and exchanges through which victims can acquire the cryptocurrency.
Another sample, “Black Ruby,” has been programmed to spare computers with an Iranian IP address, but otherwise encrypts and scrambles the target’s files, as well as infects the machine with a resource-hungry Monero (XML) miner. The ransom for so-called Black Ruby, which Accenture discovered in February 2018, is $650 in BTC.
The report says that the increase in ransomware activity suggests that Iran-based actors are “financially motivated to target global organizations by using ransomware and cryptocurrency miners for financial gain,” although it notes that
“Based on current Iranian policy, the feud may not lead to any disruptive or destructive cyberattack against the United States or European counterparts in the near future.”
Accenture’s report adds that the Iranian government might instead target its neighbors — like Saudi Arabia, the United Arab Emirates, Bahrain, and Israel —as they supported the U.S. decision to pull out of the nuclear agreement.
Jim Guinn, head of Accenture’s industrial cybersecurity business, told the WSJ that stealth crypto-mining attacks — also known as cryptojacking — have already caused “significant issues in some oil and gas facilities in the Middle East,” estimating that “millions of dollars of compute cycles have been hijacked over the past 12 months and continue to be hijacked every day.”
Amid the geopolitical fallout, economic turmoil in Iran has seen some citizens turn to crypto in an attempt to protect their funds. As of May, Iranians were estimated to have siphoned $2.5 billion out of the country in crypto, notwithstanding the central bank’s move to ban local financial institutions from dealing in crypto earlier this spring.