Two Iranian Men Indicted for SamSam Ransomware Attacks

Two Iranian men, allegedly the hackers behind the SamSam ransomware attacks, have been indicted by a federal grand jury in New Jersey for holding public computer systems hostage.

Faramarz Shahi Savandi, 34, and Mohammad Shah Mansouri, 27, have been charged with extorting millions of dollars through the devastating ransomware attacks they allegedly planned and executed. The Verge reports, “The Justice Department unsealed an indictment against both men today, alleging that they collected $6 million by targeting more than 200 victims — including the cities of Atlanta, Georgia, and Newark, New Jersey.”

Reports say that Savandi and Mansouri launched their attacks in 2015 and targeted hospitals and infrastructure. Using the SamSam ransomware that they allegedly developed, they reportedly encrypted machines and demanded ransoms, mostly amounting to tens of thousands of dollars, which had to be paid to their bitcoin accounts, in return for de-encrypting the systems. The Verge report says that as per the Treasury Department, the bitcoin accounts of the two hackers processed over 7,000 transactions, all of which necessarily need not be related to SamSam.

The Denver Post reports, “Faramarz Shahi Savandi, 34, and Mohammad Shah Mansouri, 27, face six counts in the indictment. They are accused of authoring the ransomware, named SamSam, and unleashing it on more than 200 victims, including the cities of Atlanta and Newark, the port of San Diego, and six health care corporations.”

The report further says, “The two men allegedly would extort their targets by demanding that the ransoms were paid in Bitcoin, a digital currency. The men would then use Iran-based Bitcoin exchangers to convert the digital currency into rial, Iran’s monetary system…The two allegedly collected $6 million in U.S. ransom payments and caused more than $30 million in losses to more than 200 victims, Deputy Attorney General Rod Rosenstein said in the news release.”

Among the duo’s high-profile attacks was an attack on Atlanta, which happened in March 2018 and which impacted major basic municipal functions, including the paying of water bills and parking tickets. Fortunately, Atlanta’s emergency services weren’t affected. The U.S Justice Department has listed attacks in 43 states, credited to the two Iranian hackers.

“In a press conference, US Attorney Craig Carpenito told reporters that Savandi and Mansouri “worked hard to identify the most vulnerable targets that they could,” and not just because they would be more likely to pay up. “Money is not their sole objective,” he claimed. “They’re seeking to harm our institutions and critical infrastructure. They’re trying to impact our way of life.””- writes Adi Robertson, Senior Reporter, The Verge.

The Colorado Department of Transportation also featured among the high-profile organizations attacked by the hacker duo. The department was hacked late in February 2018; the hackers had accessed the department’s network, following which they tried to get the department to pay a ransom for getting the file de-encrypted. The ransom, however, was not paid but the incident cost the state at least $1.5 million, as per reports. The computer system at CDOT was shut down for days and the Colorado National Guard too was brought in to tackle the issue.

Reports say that the Justice Department hasn’t revealed details regarding the number of people who reported attacks to law enforcement or the number of people who paid ransom to the hackers. The Justice Department, however, has advised targets not to pay ransom.

There have already been reports of organizations having paid up; the list of such institutions includes popular names like Indiana hospital Hancock Health.

Deserving mention is the fact that this is the first time that the United States has added to its sanctions list cryptocurrency wallets as well. Thus, any party that interacts with the accounts that have been included in the list of sanctions would also be potentially liable for sanctions. This eventually would lead to the banning of paying ransoms in SamSam attacks.