The Justice Department unsealed charges Wednesday accusing two Iranian men of hacking into American hospitals, universities, government agencies and the city of Atlanta, causing tens of millions of dollars in damages.
More than 200 victims were affected, more than $6 million in ransom was collected and damages exceeded $30 million, officials said. Ransomware encrypts data on affected systems, making it impossible for victims to access their own computer files unless they pay a ransom demand.
Officials said the case marks the first time federal prosecutors have charged individuals with writing their own ransomware and deploying it themselves as part of a criminal scheme to extort money. There is no allegation that the defendants were linked to or working on behalf of the Iranian government.
What made this scheme different from other ransomware operations is the nature of the targeting and the sophisticated way in which the alleged hackers penetrated systems first, then deployed the malware, officials said.
“The defendants did not just indiscriminately ‘cross their fingers’ and hope their ransomware randomly compromised just any computer system,” Assistant Attorney General Brian A. Benczkowski said. “Rather, they deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”
The 25-page indictment, returned Monday, charges that the men’s scheme was for their personal profit. The defendants, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, were accused of conspiring to hack and extort victims between December 2015 and this month. The suspects are believed to be in Iran.
“By crippling regular business operations, they put these institutions in a spot where they really couldn’t fight back without paying the ransom,” said Craig Carpenito, the U.S. attorney for the District of New Jersey, where the charges were filed.
Savandi and Mansouri allegedly extorted victims by demanding a ransom paid in the virtual currency bitcoin in exchange for decryption keys to recover the data. They then allegedly exchanged the bitcoin proceeds into Iranian rial using Iran-based bitcoin exchangers.
On Wednesday, the Treasury Department sanctioned two Iran-based men, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who the department said helped exchange the bitcoin ransom payments into rial. The department also listed the digital currency addresses the men used. Anyone who conducts business with either of the men could be subject to secondary sanctions, officials said.
The ransomware in this case, called SamSam, was used in attacks against Atlanta; the city of Newark; the port of San Diego; the Colorado Department of Transportation and six health care-related entities.
The ransomware, first identified in 2015, gained prominence after it afflicted Atlanta in March, hobbling computers in the court system, shutting down WiFi at the international airport, preventing residents from paying water bills online, and forcing police for several days to file reports on paper instead of electronically.
Atlanta refused to pay the anonymous hackers $51,000 in ransom, and recovering from the attack is estimated to have cost the city’s taxpayers more than $9 million.
The SamSam ransomware is not as well-known as WannaCry, a computer virus paired with ransomware that in May 2017 affected more than 300,000 computers in 150 countries. But in some ways, it is more sophisticated. WannaCry, which U.S. officials said was created by North Korea, spread on the open Internet and hit targets indiscriminately.
With SamSam, by contrast, the hackers chose vulnerable targets and then infiltrated their networks, pre-positioning the ransomware on key servers before triggering it — a technique that enabled them to inflict maximum damage immediately, officials and cybersecurity experts said.
SamSam differs from other ransomware because it does not rely on phishing to infiltrate a system but uses other techniques, including what security officials call brute-force attacks to guess weak passwords.
But it shares one key attribute with WannaCry, cyber experts said. Both use a potent cyber tool developed by the National Security Agency that was breached and wound up on the open Internet: EternalBlue. The “exploit,” as hackers call it, takes advantage of a software flaw in some Microsoft Windows operating systems, helping attackers gain access to those computers.
After the NSA notified it of the flaw, Microsoft issued a patch in March 2017, but many companies worldwide and some in the United States did not update their machines and fell victim to WannaCry last year.
The hackers who developed SamSam at some point incorporated EternalBlue into the malware. “SamSam was far more potent with EternalBlue,” said Jake Williams, founder of the cybersecurity company Rendition Infosec. “Their capabilities increased dramatically with it.”
Other ransomware has used EternalBlue, showing how these exploits, once released, can be picked up by anyone — criminals or nation states. And it has raised questions about how agencies such as the NSA protect their hacking tools.