Two Iranian men have been charged with operating a long-running international hacking and extortion scheme in which they targeted public institutions—including the City of Newark—with ransomware, causing $30 million in losses, the Justice Department announced Wednesday.
A federal grand jury returned a six-count indictment, unsealed today in Newark, charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with fraud and conspiracy charges related to the creation of the SamSam Ransomware program. The pair remain at large, possibly still operating in Iran.
“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Deputy Attorney General Rod Rosenstein said in announcing the charges Wednesday in Washington, D.C. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”
According to the DOJ, Savandi and Mansouri allegedly accessed the computers illegally by penetrating security vulnerabilities in their networks. They then allegedly installed and executed the SamSam Ransomware on the networks, resulting in the encryption of data on the victims’ computers.
Prosecutors alleged that the hackers would subsequently extort the victims by demanding ransoms to be paid in Bitcoin in exchange for codes to restore their computers to normal operation. The Bitcoin was then exchanged into Iranian currency, according to the DOJ, which alleged that the scheme netted Savandi and Mansouri more than $6 million in ransom payments and caused over $30 million in losses to victims.
The indictment alleges that the criminal conduct occurred between December 2015 and November 2018, in Essex and Mercer counties and elsewhere.
The City of Newark is alleged to have been one of the pair’s victims, in April 2017. An unnamed Mercer County business is another alleged victim, as a result of a January 2016 incident.
“The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private entities hostage and then extort money from them,” said Craig Carpenito, U.S. attorney for the District of New Jersey, in a statement.
“As the indictment in this case details, they started with a business in Mercer County and then moved on to major public entities, like the City of Newark, and healthcare providers, like the Hollywood Presbyterian Medical Center in Los Angeles and the Kansas Heart Hospital in Wichita—cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick, and the injured without interruption.”
Carpenito added that the charges “show that the U.S. Attorney’s Office for the District of New Jersey will continue to act to disrupt such criminal acts, and identify those who are responsible for them, no matter where in the world they may seek to hide.”
The Justice Department indicated that more than 200 entities were affected by the scheme, including the City of Atlanta; the Port of San Diego; the Colorado Department of Transportation; the University of Calgary in Canada; and six health care-related entities, including Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina.
Prosecutors said Savandi and Mansouri authored the first version of the SamSam program in December 2015 and continued to refine and create more versions of it.
Additionally, Savandi and Mansouri used ”sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities),” prosecutors alleged.
The defendants allegedly conducted online searches to scope out potential victims and, according to the DOJ, they would also conceal their activities to look like normal network business.