2 Iranians indicted for computer crimes that caused $30 million in damage to CDOT, others

PROMO 660 x 440 Tips - Computer Keyboard Padlock Technology - iStock
Published Saturday, December 1, 2018
PICT - Kiowa County Press Icon
by Chris Sorensen

The United States Department of Justice announced this week that two men from Iran had been indicted for infecting computers at government and healthcare agencies across the United States and at least one Canadian university. The ransomware infection is believed to have caused $30 million in damages.

The Colorado Department of Transportation was one of the numerous victims of the SamSam Ransomware in February and March of this year. The malicious software encrypted dozens of computers, rendering them unusable. CDOT refused to pay the requested ransom, and spent weeks clearing its systems.

The indictment handed down by a grand jury in Newark, New Jersey, Wednesday names Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, for their role in a 34-month computer hacking and extortion scheme that used the malicious software to encrypt information on compromised computers. They then demanded payment in exchange for instructions about how to decrypt the infected machines. Payment was to be made in BitCoin, a virtual currency that is nearly untraceable. The pair are said to have received more than $6 million in payments.

2018-12-01_pict_mohammad_mehdi_shah_mansouri.jpg

PICT Mohammad Mehdi Shah Mansouri - FBI
Mohammad Mehdi Shah Mansouri - Courtesy Federal Bureau of Investigation

The DOJ says more than 200 victims were affected, and included hospitals, cities, and other public institutions.

"According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims," said Deputy Attorney General Rod J. Rosenstein.

Savandi and Mansouri are said to have targeted public safety agencies and hospitals because they depend upon computer systems to serve the public and provide healthcare without interruption. They are alleged to have first created the SamSam Ransomware in December 2015 and continued making updates into late 2017. 

2018-12-01_map_samsam_ransomware_victim_locations_-_fbi.jpg

MAP samsam ransomware victim locations - FBI
Courtesy Federal Bureau of Investigation

Using online spying techniques, Savandi and Mansouri selected their targets, taking care to make their attacks look like normal activity, according to the indictment. Attacks started outside normal business hours when it would be more difficult to defend against the malicious activity. At least one attack is said to have started as recently as September 2018.

Savandi and Mansouri have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer and two counts of transmitting a demand in relation to damaging a protected computer.

Both men are now wanted by the Federal Bureau of Investigation. Anyone with information about the two men, or who may be a victim of SamSam Ransomware, is encouraged to contact a local FBI office or nearest American Embassy or Consulate.