2 Iranian men indicted for deploying ransomware to extort hospitals and municipalities

NEWARK, NJ — An indictment returned by a federal grand jury was unsealed Nov. 28 in Newark, charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, in a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware, announced U.S. Attorney Craig Carpenito for the district of New Jersey, Deputy Attorney Gen. Rod J. Rosenstein, Assistant Attorney Gen. Brian A. Benczkowski of the Justice Department’s Criminal Division and Executive Assistant Director Amy S. Hess of the FBI.

The six-count indictment alleges that Savandi and Mansouri, acting from inside Iran, authored malware, known as “SamSam Ransomware,” capable of forcibly encrypting data on the computers of victims. According to the indictment, beginning in December 2015, Savandi and Mansouri would then allegedly access the computers of victim entities without authorization through security vulnerabilities, and install and execute the SamSam Ransomware on the computers, resulting in the encryption of data on the victims’ computers. These more than 200 victims included hospitals, municipalities and public institutions, according to the indictment, including the city of Atlanta, Ga.; the city of Newark, N.J.; the port of San Diego, Calif.; the Colorado Department of Transportation; the University of Calgary in Calgary, Alberta, Canada; and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles, Calif.; Kansas Heart Hospital in Wichita, Kan.; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, N.C.; MedStar Health, headquartered in Columbia, Md.; Nebraska Orthopedic Hospital, now known as OrthoNebraska Hospital, in Omaha, Neb.; and Allscripts Healthcare Solutions Inc., headquartered in Chicago, Ill.

According to the indictment, Savandi and Mansouri would then extort victim entities by demanding a ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collecting ransom payments from victim entities that paid the ransom, and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchangers. The indictment alleges that, as a result of their conduct, Savandi and Mansouri have collected more than $6 million USD in ransom payments to date, and caused more than $30 million USD in losses to victims.

“The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private entities hostage and then extort money from them,” Carpenito said. “As the indictment in this case details, they started with a business in Mercer County and then moved on to major public entities, like the city of Newark, and health care providers, like the Hollywood Presbyterian Medical Center in Los Angeles and the Kansas Heart Hospital in Wichita — cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick and the injured without interruption. The charges announced today show that the U.S. Attorney’s Office for the District of New Jersey will continue to act to disrupt such criminal acts, and identify those who are responsible for them, no matter where in the world they may seek to hide.”

“This indictment demonstrates the FBI’s continuous commitment to unmasking malicious actors behind the world’s most egregious cyberattacks,” Hess said. “By calling out those who threaten American systems, we expose criminals who hide behind their computer and launch attacks that threaten our public safety and national security. The actions highlighted today, which represent a continuing trend of cyber criminal activity emanating from Iran, were particularly threatening, as they targeted public safety institutions, including U.S. hospital systems and governmental entities. The FBI, with the assistance of our private sector and U.S. government partners, are sending a strong message that we will work together to investigate and hold all criminals accountable.”

Savandi and Mansouri are charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

Charges contained in an indictment are merely allegations, and the defendants are presumed innocent until proved guilty beyond a reasonable doubt in a court of law.