The Department of Justice unsealed indictments Wednesday against two Iranian men for conducting ransomware attacks against more than 200 organizations inside the United States, including municipalities, government agencies and hospitals.
Prosecutors say that Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, used SamSam ransomware to lock the victims’ systems and demand bitcoin in order to decrypt their data. Savandi and Masouri racked up more than $6 million in ransom payments and caused more than $30 million in damages, according to the indictment issued by a grand jury in New Jersey.
SamSam’s damage has been a public ordeal. The indictment includes notable cases like the attacks on the city of Atlanta, the city of Newark, the Port of San Diego, the Colorado Department of Transportation, and others. Six of the victims were health care-related organizations, prosecutors said.
“Many of the victims were public agencies with missions that involve saving lives and performing other critical missions for the American people,” Deputy Attorney General Rod Rosentstein said at a press conference Wednesday.
Rosentstein said the defendants, acting from inside Iran over the past three years, “gained access to victims’ computers by exploiting cybersecurity weaknesses” in order to install the ransomware. The indictment alleges that they used tools like the Tor network to anonymize their activity.
Rosenstein took the opportunity to dig at the use of popular of encryption services, saying that it makes criminal investigations more challenging.
“Sophisticated encryption technologies like the Tor network are used by cybercriminals to commit serious offenses. Those sophisticated technologies pose a real threat to the government’s ability to keep people safe and to ensure the criminals and terrorists are caught and brought to justice,” Rosenstein said.
Authorities say that that Savandi and Mansouri was deliberately targeted. Brian Benczkowski, the assistant attorney general in charge of DOJ’s criminal division, cited the 2016 SamSam attack on the Kansas Heart Hospital.
“According to the indictment, the defendants conducted online searches concerning the hospital and access its website a few days before the attack,” Benczkowski said. “These defendants didn’t just indiscriminately cross their fingers and hope their ransomware randomly compromised just any computer system. Rather, they deliberately engaged in an extreme form of 21st century digital blackmail attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”
The whereabouts of the defendants is not clear, but indictments against foreign-based defendants often makes it difficult for them to travel because of the extradition risk.
“Publicly revealing this nefarious hacking scheme will make it harder for the perpetrators and others like them to do business in the future. As a result of the indictment, these defendants are now fugitives from American justice,” Rosenstein said.
You can read the full indictment below.