Two Iranian men have been charged with operating a long-running international hacking and extortion scheme in which they targeted public institutions—including the city of Atlanta government—with ransomware causing $30 million in losses, the Justice Department announced Wednesday.
A federal grand jury returned a six-count indictment, unsealed today in Newark, New Jersey, charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with fraud and conspiracy charges related to the creation of the SamSam ransomware program. The pair remain at large, possibly still operating in Iran.
“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Deputy Attorney General Rod Rosenstein said in announcing the charges Wednesday. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”
According to the DOJ, Savandi and Mansouri allegedly accessed the computers illegally by penetrating security vulnerabilities in their networks. They then allegedly installed and executed the SamSam ransomware on the networks, resulting in the encryption of data on the victims’ computers.
Prosecutors alleged that the hackers would subsequently extort the victims by demanding ransoms to be paid in bitcoin in exchange for codes to restore their computers to normal operation. The bitcoin was then exchanged into Iranian currency, according to the DOJ, which alleged that the scheme netted Savandi and Mansouri more than $6 million in ransom payments and caused over $30 million in losses to victims.
“The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski in a DOJ statement.
“These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them. As today’s charges demonstrate, the Criminal Division and its law enforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and institutions, regardless of where those criminals may reside.”
The Justice Department indicated that more than 200 entities were affected by the scheme, including the cities of Atlanta and Newark, New Jersey; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital, in Omaha, Nebraska; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.
Prosecutors said Savandi and Mansouri authored the first version of the SamSam program in December 2015 and continued to refine and create more versions of it through 2017.
Additionally, Savandi and Mansouri used ”sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities),” prosecutors alleged.
The defendants allegedly conducted online searches to scope out potential victims and, according to the DOJ, they would also conceal their activities to look like normal network business.
The Atlanta attack, which occurred in March, disrupted city payment and court information portals.
The city tweeted on March 28 that there is “no evidence to show that customer or employee data has been compromised. However, customers and employees are encouraged to take precautionary measures to monitor and protect their personal information.”
Hackers gave the city of Atlanta a week to pay the 6 bitcoin (or roughly $51,000) ransom, the full amount of which would be due March 28, should the city decide to pay. Wired magazine reported that the city, which did not acknowledge whether it paid the ransom, spent $2.6 million to deal with the attack.
A statement by Atlanta Mayor Keisha Lance Bottoms about the indictments Wednesday said: “We are grateful for all our federal partners who have assisted with identifying the perpetrators and bringing them to justice. The Administration remains committed to ensuring the ongoing safety and security of the City’s cyber-infrastructure, as well as that of the people of Atlanta.”
Daily Report managing editor Jonathan Ringel (@jonathanringel) contributed to this version of this article, which first ran in Legaltech News.