The Justice Department on Wednesday announced criminal charges in a series of high-profile ransomware attacks against the city governments of Atlanta and Newark, New Jersey, as well as the Port of San Diego, Colorado’s transportation department and a string of hospital systems.
Deputy Attorney General Rod Rosenstein announced the indictments of Iranian citizens Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi on six counts, including conspiracy to commit wire fraud and intentional damage to a protected computer. The attacks, dating back to December 2015, have created chaos for state and local information technology officials nationwide as they observed long and costly recovery efforts in places like Atlanta, which may eventually spend $17 million to clean up the mess caused by the ransomware variant known as SamSam.
In total, Rosenstein said, Mansouri and Savandi allegedly carried out more than 200 cyberattacks with the SamSam virus, netting more than $6 million in bitcoin payments from victims that paid the demands. Among the targets that admitted to paying up was Newark, which forked over $30,000 in bitcoins under the advice of law enforcement, Mayor Ras Baraka said Wednesday.
The Justice Department did not identify which of the other victims paid up or the number that did. When victims did pay, Mansouri and Savandi allegedly used a cryptocurrency exchange that converted bitcoins to Iranian rials. But the financial impacts reached far beyond the ransoms that were collected. Brian Benczkowski, the assistant attorney general in charge of the criminal division, said the attacks cost victims tens of millions of dollars in damage to their affected computer networks. The attacks against just 34 targets, he said, caused more than $30 million in losses.
Every computer affected by a SamSam attack was left with a ransom note informing users that their files were encrypted and could only be unlocked in exchange for a payment in bitcoin, and also a threat that if payment was not made in seven days the decryption keys would be deleted, potentially locking victims out of their data forever. Mansouri and Savandi also allegedly created a ransom payment website for each victim.
Many of the attacks mentioned in Wednesday’s charges crippled the abilities of large city governments to serve their residents and hospitals to process patients. The first attack listed came Jan. 11, 2016, when an unnamed business in Mercer County, New Jersey had its computers accessed and installed with the SamSam virus, with a ransom note following. Another attack came Feb. 5, 2016, against the Hollywood Presbyterian Medical Center.
From hospitals to governments
More attacks against hospitals followed, including MedStar Health, which operates several large facilities in the Washington, D.C. area. The March 2016 incident, which demanded a payment of 45 bitcoins — about $19,000 at the time — shut down email services for MedStar’s 30,000 employees and prevented staff from updating records, which forced its hospitals to temporarily turn away patients.
Eventually, Mansouri and Savandi allegedly started focusing on government targets. City hall workers in Newark found themselves locked out of their computers on April 25, 2017. The Colorado Department of Transportation was hit last Feb. 21, knocking about 2,000 computers offline. State officials said at the time that while traffic-control and highway-surveillance operations were not impacted, the department’s back-office functions were crippled.
The ransom amount in the Colorado attack has not been disclosed, but the Colorado Office of Information Technology, which led the response to the attack, told StateScoop earlier this year that recovering from the incident took the skills of as many as 150 IT workers and cost the state up to $2 million.
“Today’s indictment shows how seriously we take this type of criminal activity,” Deborah Blyth, Colorado’s chief information security officer, said in response to the charges against Mansouri and Savandi. “We want to thank the FBI for their partnership and commitment to prosecuting the malicious actors who are responsible for these devastating cyberattacks.”
The Atlanta attack came about a month later, becoming one of the most widespread and costly ransomware incidents on U.S. soil. That attack, which began March 22, swept through the city’s computer systems. Residents lost the ability to pay utility bills online or over the phone, business licenses could only be obtained in-person, and the municipal courthouse couldn’t schedule hearings for nearly a month. Members of the city council reported losing years’ worth of correspondence, and the Atlanta Police Department lost an archive of footage from dashboard-mounted cameras.
In Atlanta, Mansouri and Savandi allegedly asked for a bitcoin payment equal to about $51,000; recovering from the incident may eventually cost the city $17 million. The string of SamSam attacks also prompted officials in the affected jurisdictions to give more consideration to cybersecurity.
“While it should be top of mind for us as elected officials, it’s not something people see and our communities are discussing,” Atlanta Mayor Keisha Lance Bottoms said in May, acknowledging cybersecurity had not been a priority for her because it never came up while she was running for the office in 2017.
Bottoms’ office did not respond to requests for comment on the indictments against Mansouri and Savandi. In a statement following the indictments, Newark’s Baraka said the city’s April 2017 ransomware experience that shut down municipal computer systems led his administration to reassess its cybersecurity practices.
“These attacks seriously compromised our networks and disrupted vital services that we provide to residents,” Baraka said. “The city of Newark has significantly strengthened its cyberdefenses and learned a great deal from having gone through this experience.”
All together, the SamSam attacks hit targets in 45 states and Canada, federal officials said.
‘Sophisticated tools and techniques’
“These defendants didn’t just cross their fingers,” Benczkowski, the assistant attorney general, said. “Rather they engaged in extreme form of 21st century blackmail and vandalism.
According to the 26-page indictment, Mansouri, 27, and Savandi, 34, created the SamSam ransomware and deployed it using “sophisticated tools and techniques” against computer systems belonging to government agencies, hospitals, schools, corporations and other entities, most of which were located in the United States. After developing the virus, they allegedly deployed it by accessing networks without authorization, often masking their identities behind virtual private networks with European addresses.
“Once inside a Victim’s computer network, Defendants used sophisticated hacking techniques and tools to conduct reconnaissance and expand their access to the Victim computer networks,” the document reads. “Among other things, Defendants scanned a Victim’s computer network to identify computers to target for encryption.”
The indictment goes on to state that the reconnaissance phase of the attacks took weeks when SamSam was first developed, but eventually came down to just a few hours by early 2018. After doing their research, Mansouri and Savandi would allegedly install the virus on as many computers as possible, then activate it to encrypt files on the targeted network. The execution was often timed to be most inconvenient for the victims to repel.
“This coordinated encryption attack, which was disguised to appear like legitimate network activity, was usually launched outside regular business hours, when a Victim would find it more difficult to mitigate the attack,” the indictment states. “The simultaneous, mass encryption of a Victim’s computers was intended to—and often did—cripple the regular business operations of the Victims. Without use of their data, most Victims were unable to function normally; many had to shut down or drastically curtail their operations.”
Mansouri and Savandi were charged in U.S. district court in New Jersey. Both men are believed to reside in Tehran, according to the Justice Department. Canadian and British law enforcement agencies assisted the FBI in the investigation, Rosenstein said.
“The case demonstrates our resolve to prosecuting cybercriminals regardless of their location,” he said, though retrieving the suspects from Iran could prove difficult. Amy Hess, the FBI’s executive assistant director who oversees cybercrime investigations, said the bureau will try to catch Mansouri and Savandi if they travel through a third country with which the United States has an extradition treaty.
Read the indictment: