Two Iranians Charged in SamSam Ransomware AttacksUS Prosecutors Allege Pair Targeted More Than 200 Victims, Including Cities, Hospitals
A federal grand jury has indicted two Iranians for allegedly waging SamSam ransomware attacks on more than 200 entities, including Atlanta and other municipalities and six healthcare organizations. They collected $6 million in ransoms and caused more than $30 million in losses to victims, prosecutors allege.
In a statement issued Wednesday, the U.S. Department of Justice announced that a Newark, New Jersey federal grand jury returned an indictment charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, in connection with a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware.
"The allegations in the indictment unsealed today - the first of its kind - outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail."
—Assistant Attorney General Brian Benczkowski
The six-count indictment alleges that Savandi and Mansouri, acting from inside Iran, authored SamSam malware that forcibly encrypted data on the computers of victims.
"The allegations in the indictment unsealed today - the first of its kind - outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail," said Assistant Attorney General Brian Benczkowski of the Justice Department's Criminal Division.
"These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them."
The DOJ alleges that beginning in December 2015, Savandi and Mansouri accessed the computers of victim entities without authorization through security vulnerabilities and installed and executed the SamSam ransomware, resulting in the encryption of data on the victims' computers.
According to the indictment, Savandi and Mansouri then extorted victims by demanding a ransom paid in bitcoin in exchange for decryption keys, collected ransom payments from some of the victims, and then exchanged the bitcoin proceeds into Iranian rial using Iran-based bitcoin exchangers.
Prosecutors say the list of more than 200 victims includes the cities of Atlanta and Newark; the Port of San Diego, California; the Colorado Department of Transportation; and the University of Calgary in Calgary, Alberta, Canada. Also among those attacked were six healthcare-related entities: Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina; MedStar Health, based in Columbia, Maryland; Nebraska Orthopedic Hospital, now known as OrthoNebraska Hospital, in Omaha, Nebraska; and Allscripts Healthcare Solutions Inc. in Chicago.
"According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals and countless innocent victims," said Deputy Attorney General Rod Rosenstein.
Savandi and Mansouri are charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer and two counts of transmitting a demand in relation to damaging a protected computer.
Prosecutors allege that Savandi and Mansouri created the first version of the SamSam ransomware in December 2015 and then created refined versions in June and October 2017.
In addition to using Iran-based bitcoin exchangers, the indictment alleges that the defendants also used overseas computer infrastructure to commit their attacks. Savandi and Mansouri allegedly used sophisticated online reconnaissance techniques - such as scanning for computer network vulnerabilities - and conducted online research to select and target potential victims, according to the indictment.
The two alleged hackers also disguised their attacks to appear like legitimate network activity, prosecutors contend.
To carry out their scheme, the indictment alleges, the defendants also employed the use of Tor, a computer network designed to facilitate anonymous communication over the internet.
Maximizing the Damage
Prosecutors allege the two defendants maximized the damage caused to victims by launching attacks outside regular business hours, when a victim would find it more difficult to mitigate the attack, and by encrypting backups of the victim organization's computers.
"This was intended to - and often did - cripple the regular business operations of the victims," according to the indictment.
For instance, the cyberattack on MedStar Health, a 10-hospital system serving Maryland and the Washington, D.C. area, forced the organization to shut down many of its systems to avoid the spread of the malware, disrupting patient care delivery for several days.
Prosecutors said the most recent alleged ransomware attack targeted the Port of San Diego on Sept. 25.
In addition to the DOJ indictments of Savandi and Mansouri, the U.S. Treasury Department's Office of Foreign Assets Control announced Wednesday that it imposed sanctions against two other Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan. Treasury Department officials say these two allegedly helped exchange bitcoin ransom payments into Iranian rial on behalf of the pair of Iranian hackers allegedly involved with the SamSam ransomware scheme.
Also, the Treasury Department said it identified two digital currency addresses associated with these two financial facilitators. More than 7,000 transactions in bitcoin, worth millions of U.S. dollars, have processed through these two addresses - some of which involved SamSam ransomware derived bitcoin, the Treasury Department said.
"Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims," says Sigal Mandelker, Treasury's under secretary for terrorism and financial intelligence. "As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers and other providers of digital currency services harden their networks against these illicit schemes."
Mandelker also noted: "We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT [Anti-Money Laundering and Combating the Financing of Terrorism] safeguards to further their nefarious objectives."
A Symbolic Move?
It seems unlikely that the two Iranians indicted in connection with the SamSam attacks will be arrested and held accountable in a federal court because the United States does not have an extradition treaty with Iran.
"These cases are mostly symbolic," Leroy Terrelonge, an analyst with cyber intelligence firm Flashpoint, tells Reuters.
Kimberly Goody, who manages financial crime analysis for cybersecurity firm FireEye, tells Reuters that the SamSam hackers might take a break to modify their operations to make them more difficult to identify and block. "There may be a lull but I would expect them to continue," she says.
Nevertheless, Rosenstein, the deputy attorney general, said at a Wednesday press conference that he remains confident the suspects will be apprehended, according to Reuters. "American justice has a long arm and we will wait and eventually, we are confident that we will take these perpetrators into custody," he said.
Not Unusual Step
Privacy attorney Iliana Peters of the law firm Polsinelli tells Information Security Media Group that it's not unusual for federal law enforcement authorities to indict hackers or other cybercriminals for crimes committed against U.S. healthcare organizations. Federal agencies encourage victims to cooperate with law enforcement investigations.
"It is not unusual for DOJ, FBI, and/or Secret Service to take these steps. They routinely do these types of investigations and indictments. This is a large part of the work of cyber-crimes units, and that's a good thing for healthcare entities," Peter says.
Guidance that the Department of Health and Human Services' Office for Civil Rights issued after the WannaCry attack last year "makes very clear that a HIPAA covered entity's or business associate's second step after an attack, after working to stop the security incident itself, is to contact law enforcement, not only because they may have an ongoing case, but also because they may be able to help the entity recover from the particular attack," she says.