ADVERTISEMENT

U.S. Indicts Iranian Hackers Responsible for Deploying 'SamSam' Ransomware

Iran cybercafe
Getty Images
November 29, 2018

By Sarah N. Lynch

WASHINGTON (Reuters) - The United States on Wednesday indicted two Iranians for launching a major cyber attack using ransomware known as "SamSam" and sanctioned two others for helping exchange the ransom payments from Bitcoin digital currency into rials.

The 34-month long hacking scheme wreaked havoc on hospitals, schools, companies and government agencies, including the cities of Atlanta, Georgia, and Newark, New Jersey, causing over $30 million in losses to victims and allowing the alleged hackers to collect over $6 million in ransom payments.

The deployment of the SamSam ransomware represented some of the highest profile cyber attacks on U.S. soil, including one in 2016 that forced Hollywood Presbyterian Hospital in Los Angeles to turn away patients and one last year that shut down Atlanta courts and much of its city government.

The six-count indictment, unsealed Wednesday in the U.S. District Court for the District of New Jersey, charges Iran-based Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud related to computers, and other counts accusing them of intentionally damaging protected computers and illegally transmitting demands related to protected computers.

The Treasury Department said it had sanctioned Ali Khorashadizadeh and Mohammad Ghorbaniyan for exchanging digital ransomware payments into rials.

Neither Khorashadizadeh nor Ghorbaniyan were named in the indictment, though the indictment appeared to reference their activities.

"The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail," said Assistant Attorney General Brian Benczkowski, in announcing the criminal charges on Wednesday.

Reuters could not immediately locate the four Iranians named by the U.S. government, and it would likely be difficult to hold them accountable in a federal court because the United States does not have an extradition treaty with Iran.

Some cyber security experts said the actions are unlikely to have an impact because of that.

"These cases are mostly symbolic," said Leroy Terrelonge, an analyst with cyber intelligence firm Flashpoint.

Kimberly Goody, who manages financial crime analysis for cybersecurity firm FireEye, said the SamSam hackers might take a break to modify their operations to make them more difficult to identify and block.

"There may be a lull but I would expect them to continue," she said.

Deputy Attorney General Rod Rosenstein, however, said at a press conference that he remains confident the suspects will be apprehended.

"American justice has a long arm and we will wait and eventually, we are confident that we will take these perpetrators into custody," he said.

According to the Treasury, the SamSam ransomware scheme targeted more than 200 victims.

The indictment, however, only named 12 of them.

In addition to Atlanta and Newark, other victims cited by the Justice Department included healthcare companies such as Laboratory Corporation of American Holdings and Allscripts Healthcare Solutions, Inc as well as the Colorado Department of Transportation, Medstar Health, the port of San Diego, University of Calgary, Nebraska Orthopedic Hospital, Mercer County Business, Hollywood Presbyterian Medical Center and Kansas Heart Hospital.

(Reporting by Sarah N. Lynch; Additional reporting by Lisa Lambert, Makini Brice and Timothy Ahmann in Washington, Jim Finkle in New York and Babak Dehghanpisheh in Geneva; Editing by Susan Thomas and Richard Chang)

Published under: Cyber Security , Iran