Two Iranian men have been charged with deploying a sinister type of ransomware that crippled the operations of hospitals, municipalities, public institutions, and other critical networks in the United States and Canada, officials from the Department of Justice and the FBI announced on November 28. Victims were infected with the ransomware through vulnerabilities found in common software and network accesses points.
Beginning in 2015 and continuing until September 2018, SamSam ransomware infiltrated computer networks in Atlanta, Newark, and San Diego, as well as those of major health care providers, the University of Calgary, and others. Once deployed, the malware encrypted data and files. The creators then demanded payment by virtual currency to restore access to affected systems, a crime Assistant Attorney General Brian A. Benczkowski called “21st century blackmail” during a press conference today at the Department of Justice in Washington, D.C.
The toll of these cyberattacks was staggering: more than 230 entities infected, $6 million in ransom payments extorted, and an estimated $30 billion in damages to the affected public and private institutions.
“The actions highlighted today, which represent a continuing trend of cyber criminal activity emanating from Iran, were particularly threatening, as they targeted public safety institutions, including U.S. hospital systems and governmental entities,” said Amy Hess, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch. “As cyber threats evolve and cyber criminals develop more sophisticated techniques, so do we.”
The case was investigated through a coordinated international effort between the FBI, the United Kingdom’s National Crime Agency and West Yorkshire Police, and Canada’s Calgary Police Service and Royal Canadian Mounted Police. Significant assistance was provided by the Justice Department’s National Security Division and the Criminal Division’s Office of International Affairs. The courage and the cooperation of the
In the federal indictment unsealed in Newark, the U.S. Attorney for the District of New Jersey charged Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.
According to the indictment, Savandi and Mansouri created the first version of the SamSam Ransomware in December 2015, and created further refined versions in June and October 2017. In addition to employing Iran-based Bitcoin exchangers, the indictment alleges that the defendants also utilized overseas computer infrastructure to commit their attacks. Savandi and Mansouri would also use sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities) and conduct online research in order to select and target potential victims, according to the indictment. According to the indictment, the defendants would also disguise their attacks to appear like legitimate network activity.
To carry out their scheme, the indictment alleges that the defendants also employed the use of Tor, a computer network designed to facilitate anonymous communication over the internet. According to the indictment, the defendants maximized the damage caused to victims by launching attacks outside regular business hours, when a victim would find it more difficult to mitigate the attack, and by encrypting backups of the victims’ computers. This was intended to—and often did—cripple the regular business operations of the victims, according to the indictment. The most recent ransomware attack against a victim alleged in the indictment took place on September 25, 2018.
Although the alleged criminal actors are in Iran and currently out of the reach of U.S. law enforcement, they can be apprehended if they travel, and the United States is exploring other avenues of recourse.