US Charges Hackers in Multimillion Dollar Ransomware Campaign

by Chris Brook on Thursday November 29, 2018

Contact Us
Free Demo
Chat

The Department of Justice indicted two men and the on Wednesday for their role in a chain of devastating ransomware attacks dating back to 2015. The US Treasury Department - for the first time ever - sanctioned two Bitcoin addresses used by the men to funnel funds.

We learned Wednesday that some of most damning ransomware attacks over the last couple years, including one that brought the city of Atlanta to a veritable standstill this spring, appear to have been carried out by just two men.

The Department of Justice said in Wednesday morning that two men from Iran, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, allegedly wrote and distributed SamSam, a strain of ransomware that's been linked to attacks against more than 200 victims, mostly hospitals, since late 2015.

According to the indictment, which was unsealed in New Jersey, the wave of attacks spanned 34 months, beginning in December 2015, with the latest occurring in September. The men used Tor – software designed to anonymize web browsing, encrypted backups of victim computers, and overseas computer infrastructure to carry out their attacks.

The men reportedly collected $6 million in ransom payments from victims in 10 states and Canada. Ultimately the true damage to victims was five times that sum; the DOJ claims the malware was reportedly responsible for over $30 million in losses.

The men first exploited security vulnerabilities on victim’s machines, then installed and executed SamSam in order to encrypt victims' files. While the indictment (.PDF) doesn’t specify the exact vulnerabilities the men exploited, researchers have said previously that many instances of SamSam make use of vulnerable JBoss host servers, remote desktop protocols and file transfer protocols in order to brute force access to systems.

One of the first attacks to make headlines, against the Hollywood Presbyterian Medical Center in Los Angeles, occurred in February 2016 and subsequently cost the hospital $17,000 to restore access to their files.

The Atlanta cyberattack, which knocked much of its government offices offline, cost the city $2.7 million to repair its systems and remediate the attack. Many online services citizens used to pay bills and request utility service, in addition to programs used to store legal documents and police dashcam video files, were taken offline.

Other victims included the city of Newark, the Port of San Diego, one of the world's leading lab diagnostics provider, LabCorp, and Allscripts Healthcare Solutions, a company that supplies EHR systems for thousands of physician practices nationwide. The Allscripts outage left many practices in the dark in January, forcing some to turn away patients.

The men were indicted on six counts, one of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer.

While Savandi and Mansouri were indicted this week, it’s of course unclear whether the two will ever be apprehended; it's believed the defendants are fugitives, still operating in Iran.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two other Iranian men on Wednesday for allegedly helping Savandi and Mansouri exchange the Bitcoin payments for rial, the currency of Iran. According to the Treasury, the OFAC identified two digital currency addresses the two used to process transactions that involved Bitcoin from the ransomware.

Ransomware image via Christiaan Colen's Flickr photostream, Creative Commons

Tags: Ransomware

Recommended Resources


  • An overview of the FFIEC CAT
  • How to use the CAT to identify areas of risk
  • How Digital Guardian helps reduce these risks
  • A compliance timeline for all 18 provisions
  • Financial services case studies
  • How Digital Guardian can help

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.