DOJ Charges 2 Iranian Hackers for Major Ransomware Attack on U.S. Cities

Two Iranian nationals have been charged for their involvement in a multi-million dollar international computer-hacking scheme, allegedly using a sophisticated malware system to extort more than 200 victims for ransom, the Department of Justice announced Wednesday.

For 34 months, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 24, allegedly extorted more than $30 million in damages by using ransomware known as "SamSam” all while covering their tracks to look like legitimate computer activity, according to the unsealed six-count indictment.

“SamSam ransomware is a dangerous escalation of cybercrime,” said Craig Carpenito, the U.S. attorney for New Jersey said on Wednesday. “This is a new type of cybercriminal. Money is not their sole objective. They are seeking to harm our institutions and our critical infrastructure.”

The pair have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer, and two counts of transmitting a demand in relation to damaging a protected computer.

“This indictment demonstrates the FBI’s continuous commitment to unmasking malicious actors behind the world’s most egregious cyber attacks,” said Amy Hess, executive assistant director of the FBI’s cyber team. “By calling out those who threaten American systems, we expose criminals who hide behind their computer and launch attacks that threaten our public safety and national security.”

Authorities alleged that in 2015, while in Iran, the two hackers targeted U.S. hospitals, state agencies, city governments, and other public institutions—all entities that carry out life-saving services—in order to maximize their chances of getting paid the ransom in cryptocurrency.

After accessing these computers through security vulnerabilities, they would install and execute SamSam ransomware, which would “forcibly” encrypt data on the victims’ computers and demand money in order to revert the changes. Once they received their payment, they would exchange the profits into Iranian currency using Iran-based Bitcoin exchange services and provide their victims with decryption keys.

“The conspirators collected more than $6 million in extortion payments and caused more than $30 million in losses,” Deputy Attorney General Rod Rosenstein said on Wednesday. “Many of the victims were public agencies with missions that involve saving lives and performing other critical functions for the American people.”

Major victims included the cities of Atlanta, Newark, the port of San Diego, the Colorado Department of Transportation, six health care-related entities, and the University of Calgary in Canada.

The March ransomware attack on Atlanta and its municipal government is considered to be one of the most sustained and consequential cyber-attacks ever brought against a major American city. The ransom allegedly demanded by the two hackers amounted to about $51,000, but left parts of the city’s online network unusable for almost a week and cost almost $3 million to repair.

“This is much bigger than a ransomware attack,” Mayor Keisha Lance Bottoms said at a press conference at the time. “This really is an attack on the government, which means its an attack on all of us.”

The two men are believed to still be in Iran and remain fugitives. Though the U.S. does not have an extradition treaty with Iran, the Justice Department said on Wednesday they remain confident the men will be charged one day.

“American justice has a long arm and we will wait and eventually we’re confident that we will take these perpetrators into custody,” Rosenstein said.