U.S. federal authorities have indicted two Iranian nationals for deploying “sophisticated ransomware” from inside the Islamic Republic to extort hundreds of victims including hospitals, municipalities, and public institutions, a move that has caused over $30 million in losses, the Department of Justice (DOJ) announced Wednesday.
In a statement, U.S. Deputy Attorney General Rod Rosenstein explained:
The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims. According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.
Assistant Attorney General Brian Benczkowski described the indictment as unprecedented, noting:
The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail. These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them.
The department identified the defendants as Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, noting that a federal grand jury returned an indictment against them unsealed on Wednesday in Newark, New Jersey.DOJ explained that the indictment came after “a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware,” adding:
The six-count indictment alleges that Savandi and Mansouri, acting from inside Iran, authored malware, known as “SamSam Ransomware,” capable of forcibly encrypting data on the computers of victims. According to the indictment, beginning in December 2015, Savandi and Mansouri would then allegedly access the computers of victim entities without authorization through security vulnerabilities, and install and execute the SamSam Ransomware on the computers, resulting in the encryption of data on the victims’ computers.
According to the indictment, hundreds of entities from across the United States fell victim to the ploy, including hospitals, municipalities, and public institutions.
“The defendants hacked, encrypted, and extorted more than 200 victims, and collected more than $6million in ransom payments. The victims incurred additional losses exceeding $30 million resulting from the loss of access to their data,” the court papers revealed.
Federal investigators found that Savandi and Mansouri demanded that victims pay the ransom in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data.
DOJ noted that federal authorities have charged the defendants with conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, counts of intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.
The department noted:
In addition to employing Iran-based Bitcoin exchangers, the indictment alleges that the defendants also utilized overseas computer infrastructure to commit their attacks. Savandi and Mansouri would also use sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities) and conduct online research in order to select and target potential victims, according to the indictment. According to the indictment, the defendants would also disguise their attacks to appear like legitimate network activity.
“To carry out their scheme, the indictment alleges that the defendants also employed the use of Tor, a computer network designed to facilitate anonymous communication over the internet,” DOJ added.