Iranian State-Sponsored Ransomware Operation Discovered
Reading Time: 2 minutes

Iranian state-sponsored ransomware operation discovered by Flashpoint, a security research company. According to the finding of the company, Iran’s Islamic Revolutionary Guard Group (IRGC) was operating state-sponsored ransomware operations through an Iranian company called ‘Emen Net Pasargard’(ENP).

Flashpoint found three documents leaked by an anonymous entity named Read My Lips or Lab Bookhtegan on its Telegram channel between March 19 and April 1 via its Telegram channel.

The operation called ‘Project Signal’ kicked off sometime between late July 2020 and the start of September 2020. ENP was called the “Studies Center” and its task was to set up as a research organization for putting together a list of unspecified target websites.

Yet another spreadsheet validated by Flashpoint clearly specified the project’s financial motivations. It contained plans to launch the ransomware operations in late 2020 for a period of four days between Oct. 18 and 21.

The third document revealed the workflows, this included steps for receiving Bitcoin payments from ransomware victims and decrypting the locked data.

There is no clear indication if the attacks were carried out according to the plan and who were the targets.

According to the researchers, the ENP works on behalf of Iran’s intelligence services to provide cyber capabilities and support to Iran’s Islamic Revolutionary Guard Corps (IRGC), the IRGC Quds Force (IRGC-QF), and Iran’s Ministry of Intelligence and Security (MOIS).

The researchers further explained, though the project suggests ransomware tactics, it is more likely to be a “subterfuge technique” to mimic the tactics, techniques, and procedures (TTPs) of other financially motivated cybercriminal ransomware groups, in order to make attribution harder and better blend in with the threat landscape.

Project Signal other possible links

According to ClearSky, a group called Fox Kitten carried out the Iranian ransomware campaign called “Pay2Key” on a dozen of Israeli companies in Nov and Dec.

Hacking groups such as Shadow Brokers, Lab Dookhtegan earlier disclosed the secrets of the Iranian hacker group known as APT34 or OilRig. They have also published the adversary arsenal of hacking tools with information of 66 victim organizations. Apart from this, they have also doxed real-world identities of members of Iranian government intelligence agencies, so this is certainly not a first-timer for the group.

The latest news of Iran’s ransomware operation comes at a time when a collaboration between the government and tech firms in the private sector called the Ransomware Task Force is formed. In the 81 page report, you can find a list of 48 recommendations to detect and disrupt ransomware attacks, in addition to helping organizations prepare and respond to such intrusions more effectively.