The Justice Department announced charges against two Iranian hackers allegedly behind ransomware attacks in major cities like Atlanta, San Diego, Colorado and Newark.
The alleged attackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, caused more than $30 million in damages using the SamSam ransomware on over 200 victims, prosecutors said at a press conference on Wednesday.
Ransomware attacks infect computers and hold them hostage unless victims pay the hackers to release their machines. The WannaCry ransomware attack ensnared computers around the world in 2017, after North Korean hackers attacked computers in hospitals, universities and banks.
The Iranian hackers are not tied to any governments, as Brian Benczkowski, the Justice Department’s criminal division head, said this was the first criminal indictment against hackers “deploying a for-profit ransomware.”
The ransomware netted the two more than $6 million in bitcoin payments, Deputy Attorney General Rod Rosenstein said.
“Many of the victims were public agencies with missions that involve saving lives and performing other critical functions for the American people,” he said.
According to court documents, Savandi and Mansouri specifically targeted critical infrastructure like hospitals and city systems to extort as much money as possible. The alleged attackers researched for vulnerabilities thoroughly, US attorney Craig Carpenito said.
“Money is not their sole objective. They’re seeking to harm our institutions and our critical infrastructure,” Carpenito said. “They’re trying to impact our way of life.”
The hackers would target institutions that would be hurt the most by being locked out of their systems, the prosecutor said.
Along with Atlanta, victims included the city of Newark, New Jersey, Colorado’s Department of Transportation, the Unviersity of Calgary in Canada, and hospitals in Los Angeles, Kansas, North Carolina, Maryland, Nebraska and Chicago.
The ransomware attack on Atlanta’s computers targeted critical systems, making it impossible for the city to pay bills online or access electronic court documents from March to June this year. The city’s officials refused to pay the ransomware, and the recovery effort was estimated to cost $17 million.
Atlanta wasn’t alone, as the Port of San Diego suffered an attack in September, limiting access to park permits, public records and business services.
While the attacks hit more than 200 victims, 34 victims alone amounted to $30 million in damages, Carpenito said.
According to the indictment, the Iranian hackers created the SamSam ransomware first in December 2015, and carried out attacks as recent as September this year.
The SamSam ransomware infiltrates computer networks and spreads across devices. The malware takes over administrators’ rights and then encrypts servers and files, demanding victims pay up to regain control.
They would search for vulnerabilities through scans online, and attack outside of business hours to cause as much damage as possible, prosecutors said.
The Treasury Department also announced actions against Ali Khorashadizadeh and Mohammad Ghorbaniyan, two Iranians who allegedly helped exchange the paid bitcoin ransoms into Iranian currency. The bitcoin wallets that the alleged hackers used had more than 7,000 transactions, the agency said.
“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims,” Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, said in a statement.
Savandi and Mansouri are charged with conspiracy to commit wire fraud, and intentional damage to a protected computer. While Iran does not extradite to the US — as the alleged hackers behind cyberattacks on HBO are also from Iran — the Justice Department said the two alleged hackers are now “fugitives from American justice.”
“By calling out those who threaten American systems, we expose criminals who hide behind their computer and launch attacks that threaten our public safety and national security,” the FBI’s executive assistant director Amy Hess said.
You can read the full indictment here:
Originally published at 8:34 a.m. PT.
Updated at 8:47 a.m.: To include statements from the Treasury Department.