Researchers Uncover Iranian State-Sponsored Ransomware Operation

Cyber Security

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis.

“Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company called ‘Emen Net Pasargard’ (ENP),” cybersecurity firm Flashpoint said in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel.

Dubbed “Project Signal,” the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP’s internal research organization, named the “Studies Center,” putting together a list of unspecified target websites.

A second spreadsheet validated by Flashpoint explicitly spelled out the project’s financial motivations, with plans to launch the ransomware operations in late 2020 for a period of four days between Oct. 18 and 21. Another document outlined the workflows, including steps for receiving Bitcoin payments from ransomware victims and decrypting the locked data.

It’s not immediately clear if these attacks went ahead as planned and whom they targeted.

“ENP operates on behalf of Iran’s intelligence services providing cyber capabilities and support to Iran’s Islamic Revolutionary Guard Corps (IRGC), the IRGC Quds Force (IRGC-QF), and Iran’s Ministry of Intelligence and Security (MOIS),” the researchers said.

Despite the project’s ransomware themes, the researchers suspect the move could likely be a “subterfuge technique” to mimic the tactics, techniques, and procedures (TTPs) of other financially motivated cybercriminal ransomware groups so as to make attribution harder and better blend in with the threat landscape.

Interestingly, the rollout of Project Signal also dovetailed with another Iranian ransomware campaign called “Pay2Key,” which ensnared dozens of Israeli companies in Nov. and Dec. 2020. Tel Aviv-based cybersecurity firm ClearSky attributed the wave of attacks to a group called Fox Kitten. Given the lack of evidence, it’s unknown what connection, if any, the two campaigns may have with each other.

This is not the first time Lab Dookhtegan has dumped crucial information pertaining to Iran’s malicious cyber activities. In a style echoing the Shadow Brokers, Lab Dookhtegan previously spilled the secrets of an Iranian hacker group known as APT34 or OilRig, including publishing the adversary’s arsenal of hacking tools, along with information on 66 victim organizations and doxxing the real-world identities of members of Iranian government intelligence agents.

News of Iran’s new ransomware operation also comes as a coalition of government and tech firms in the private sector, called the Ransomware Task Force, shared a 81-page report comprising a list of 48 recommendations to detect and disrupt ransomware attacks, in addition to helping organizations prepare and respond to such intrusions more effectively.