Feds Indict Iranian Hackers For SamSam Ransomware On CDOT, Others

NEWARK, NJ – A federal grand jury returned an indictment, unsealed Wednesday, against two Iranian nationals charging them with deploying ransomeware to extort hospitals, cities and public institutions, including the Colorado Department of Transportation.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are the alleged architects of the "SamSam Ransomware" international computer hacking and extortion scheme. The U.S. Attorney's Office alleges that the two extorted more than $6 million in ransom payments via Bitcoin from 200 institutional victims and caused $30 million in losses to those agencies and businesses.

The computers at CDOT were attacked on Feb. 19, 2019 when Savandi and Mansouri allegedly hacked into the computer network and encrypted all of the agencies computers with SamSam Ransomware, the indictment said. The hackers demanded a ransom paid in Bitcoin to unlock the agency's computers with decryption keys for the encrypted data.

CDOT announced that the agency had been hacked on Feb. 21 and took 2,000 CDOT employee computers offline. The state said it would not pay a ransom. CDOT employees used personal devices for email or other work. The agency was attacked a second time in March.

"Today’s indictment shows how seriously we take this type of criminal activity," said Deborah Blyth, chief information security officer for the Governor’s Office of Information Technology. "We want to thank the FBI for their partnership and commitment to prosecuting the malicious actors who are responsible for these devastating cyber attacks."

Fortunately, CDOT's computer system was not tied to other state agencies, so the hackers were stopped at the agency level, Blyth said in an email. The network was "segmented" so ransomware was contained to the business operations and didn't bleed into the traffic operations network. That meant highway cameras, variable message boards and the COTrip.org website were unaffected.

"We had system backups that were offline and inaccessible to the attackers. This meant that we were confident in our ability to recover systems and data, and did not have to pay the ransom," she said.

According to a map released by the Department of Justice, more than six agencies or businesses in the state of Colorado were allegedly hacked by the SamSam ransomware.

Savandi and Mansouri are charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer, the U.S. Attorney's Office said in a press release.

According to the indictment, Savandi and Mansouri allegedly developed the SamSam ransomware in December of 2015. Their first victim was a business in Mercer County, New Jersey. Allegedly they hacked into the computers of the business, encrypted all the machines and demanded an unspecified Bitcoin ransom, according to the indictment. When that succeeded, the two allegedly moved on to Hollywood Presbyterian Medical Center in Los Angeles and pulled the same scheme.

The indictment lists hacking incidents at hospitals, municipalities, and public institutions, including the City of Atlanta, Georgia; the City of Newark, New Jersey; the Port of San Diego, California; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital, in Omaha, Nebraska and Allscripts Healthcare Solutions Inc., headquartered in Chicago, Illinois.

The indictment alleged that the pair used Tor, a computer network that masks IP addresses over the internet. Savandi and Mansouri allegedly launched their cyber attacks outside regular business hours, and also encrypted backups of the victims’ computers. The most recent alleged ransomware attack happened on Sept. 25, 2018, the indictment said.

The indictment doesn't say which institutions paid ransoms or how much they paid. The Bitcoin payments were allegedly laundered through Bitcoin exchanges into Iranian rial.

“The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian A. Benczkowski in a statement “These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them. ... [T]he Criminal Division and its law enforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and institutions, regardless of where those criminals may reside.”

It was unclear if an extradition process exists with the nation of Iran to bring Savandi and Mansouri to the United States for trial.

Stay up-to-date on Denver news with Patch! There are many ways for you to connect and stay in touch: Free newsletters and Email Alerts|Facebook