U.S. government officials took action Wednesday against four Iranians suspected of participating in a years-long, worldwide plot to hack computers and hold them for ransom — marking the first time law enforcement officials have added bitcoin addresses to a list of foreign entities with imposed sanctions.
The scheme resulted in more than $6 million in direct ransom payments to the attackers, law enforcement officials said. Among those infected by the malware were the cities of Atlanta, Newark and San Diego, along with health-care institutions in Chicago, Los Angeles and Wichita.
The indictment paints a picture of “21st century digital blackmail," Assistant Attorney General Brian A. Benczkowski, who leads the Justice Department’s criminal division, said in a statement.
The two men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, allegedly probed vulnerable computer networks for security gaps that they then exploited to install ransomware — malicious software designed to encrypt a computer’s data so that it makes it inaccessible to the rightful user.
“Defendants extorted Victims by leaving a ransom note in the form of a file on each computer encrypted by SamSam Ransomware,” according to the indictment, which was unsealed Wednesday in federal court in New Jersey. “Each Victim’s ransom note told the Victim that its files were encrypted, told the Victim that it would have to pay Bitcoin to get the decryption keys.”
After disabling computers used by the city of Newark last spring, for example, Savandi and Mansouri allegedly demanded 1.7 bitcoin for each affected personal computer, the government said. At the time, one bitcoin was worth more than $1,250, according to the website Coinmarketcap.com.
Once the ransom money was paid, two other Iranian nationals allegedly converted the illicit funds into Iranian riyals, the Treasury Department said Wednesday. Treasury officials identified the individuals as Ali Khorashadizadeh and Mohammad Ghorbaniyan, and described them as central to the plot. Neither was named in the Justice Department’s indictment, which refers only to two “Bitcoin exchanger[s] based in Iran.”
The Treasury Department’s Office of Foreign Assets Control said Wednesday it had taken the unprecedented step of adding two bitcoin accounts associated with Khorashadizadeh and Ghorbaniyan to its individual sanctions list.
“Today’s action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals,” the agency said in a release, adding that it reflects a broader U.S. campaign to pressure the Iranian government “and compel the regime to change its behavior.”
The Justice Department’s indictment did not include allegations that Savandi and Mansouri were acting on behalf of the Iranian government.
This is not the first time the Justice Department has issued charges over a ransomware plot. In September, the U.S. government indicted a North Korean man for his alleged involvement in the WannaCry attack that affected FedEx, Renault and Britain’s National Health Service, among others.