DOJ Charges Iranian Nationals With Running $30M Hacking, Extortion Scheme

Two Iranian men have been charged with operating a long-running international hacking and extortion scheme in which they targeted public institutions with ransomware causing $30 million in losses, the Justice Department announced Wednesday.

A federal grand jury returned a six-count indictment, unsealed Wednesday in Newark, New Jersey, charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with fraud and conspiracy charges related to the creation of the SamSam Ransomware program. The pair remain at large, possibly still operating in Iran.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Deputy Attorney General Rod Rosenstein said in announcing the charges Wednesday. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

According to the DOJ, Savandi and Mansouri allegedly accessed the computers illegally by penetrating security vulnerabilities in their networks. They then allegedly installed and executed the SamSam Ransomware on the networks, resulting in the encryption of data on the victims' computers.

Prosecutors alleged that the hackers would subsequently extort the victims by demanding ransoms to be paid in bitcoin in exchange for codes to restore their computers to normal operation. The bitcoin was then exchanged into Iranian currency, according to the DOJ, which alleged that the scheme netted Savandi and Mansouri more than $6 million in ransom payments and caused over $30 million in losses to victims.

“The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski in a DOJ statement.

“These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them. As today's charges demonstrate, the Criminal Division and its law enforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and institutions, regardless of where those criminals may reside.”

The Justice Department indicated that more than 200 entities were affected by the scheme, including the City of Atlanta, Georgia; the City of Newark, New Jersey; the Port of San Diego, California; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles, California; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital, in Omaha, Nebraska and Allscripts Healthcare Solutions Inc., headquartered in Chicago, Illinois.

Prosecutors said Savandi and Mansouri authored the first version of the SamSam program in December 2015 and continued to refine and create more versions of it through 2017.

Additionally, Savandi and Mansouri used ”sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities),” prosecutors alleged.

The defendants allegedly conducted online searches to scope out potential victims and,  according to the DOJ, they would also conceal their activities to look like normal network business.