US charges Iranian hackers over ransomware attacks on major cities

The SamSam ransomware attacked more than 200 victims and cost $30 million in damages.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read

A wanted poster for the two hackers allegedly behind ransomware attacks affecting more than 200 victims.

Federal Bureau of Investigation

The Justice Department unveiled charges against two Iranian hackers who allegedly masterminded ransomware attacks targeting major cities, including Atlanta, San Diego and Newark, shutting down key public services throughout the country.

The alleged attackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, caused more than $30 million in damages by deploying the SamSam ransomware on more than 200 victims, prosecutors said at a press conference on Wednesday.

Ransomware attacks infect computers, holding their content hostage unless victims pay the hackers to release their machines. In 2017, the WannaCry ransomware ensnared computers around the world after North Korean hackers attacked systems in hospitals, universities and banks.

Brian Benczkowski, who heads the Justice Department's criminal division, said the Iranian hackers weren't tied to a government and noted the indictment marked the first criminal indictment against hackers "deploying a for-profit ransomware."

The ransomware netted more than $6 million in bitcoin payments, Deputy Attorney General Rod Rosenstein said.

"Many of the victims were public agencies with missions that involve saving lives and performing other critical functions for the American people,"Rosenstein said.

According to court documents, Savandi and Mansouri specifically targeted critical infrastructure, such as hospitals and city systems, to extort as much money as possible. The pair allegedly looked for vulnerabilities thoroughly, US attorney Craig Carpenito said.

"Money is not their sole objective. They're seeking to harm our institutions and our critical infrastructure," Carpenito said. "They're trying to impact our way of life."


A map showing SamSam's attacks across the US.

Department of Justice

The hackers targeted institutions that would be hurt the most by being locked out of their systems, the prosecutor said.

Along with Atlanta, victims included the city of Newark, New Jersey, Colorado's Department of Transportation, the University of Calgary in Canada, and hospitals in Los Angeles, Kansas, North Carolina, Maryland, Nebraska and Chicago.    

The ransomware attack on Atlanta's computers targeted critical systems, making it impossible for the city to pay bills online or access electronic court documents from March to June this year. The city's officials refused to pay the ransomware, and the recovery effort was estimated to cost $17 million.

Atlanta wasn't alone, as the Port of San Diego suffered an attack in September, limiting access to park permits, public records and business services.

Thirty four victims alone racked up damages totaling $30 million, Carpenito said. It's unclear what happened to the other victims.

According to the indictment, the Iranian hackers created the SamSam ransomware in December 2015, and carried out attacks as recent as September this year. 

The ransomware infiltrates computer networks and spreads across devices. The malware takes over administrators' rights and then encrypts servers and files, demanding victims pay up to regain control.

The alleged hackers would search for vulnerabilities through online scans and attack outside of business hours to cause as much damage as possible, prosecutors said.

The Treasury Department also unveiled actions against Ali Khorashadizadeh and Mohammad Ghorbaniyan, two Iranians who allegedly helped exchange the paid bitcoin ransoms into Iranian currency. Bitcoin wallets linked to the alleged hackers were used for more than 7,000 transactions, the department said.

"Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims," Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, said in a statement. 

Savandi and Mansouri are charged with conspiracy to commit wire fraud, and intentional damage to a protected computer. Iran doesn't extradite to the US so the two alleged hackers are now "fugitives from American justice," the Justice Department said. The hackers alleged to have conducted cyberattacks on HBO are also from Iran

"By calling out those who threaten American systems, we expose criminals who hide behind their computer and launch attacks that threaten our public safety and national security," the FBI's executive assistant director Amy Hess said.

You can read the full indictment here: 

Originally published at 8:34 a.m. PT. 
Updated at 8:47 a.m.: To include statements from the Treasury Department.

CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.