The US Justice Department charged two Iranian hackers Wednesday with extorting at least $6 million from hospitals, city governments and public institutions in the US and Canada by remotely locking down their computer systems.
The DOJ said Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri deployed the SamSam Ransomware into the systems of more than 200 institutions, encrypting their operations to make them inaccessible until the owners paid ransoms by bitcoin.
Victims included the city governments of Atlanta, Georgia and Newark, New Jersey, the University of Calgary in Canada, major US hospitals in Los Angeles and Kansas City, and Laboratory Corporation of America, or LabCorp, one of the world’s largest medical testing businesses.
“The hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims,” said Deputy Attorney General Rod Rosenstein.
The six-count indictment said the two men -- who are still in Iran -- began in December 2015 to hack into target computer systems to install the SamSam malware.
Once the malware was executed, it would encrypt all of the data on the victims’ computers, and electronic notes would be left behind telling administrators how to pay a ransom to have their data unlocked.
When the city of Atlanta was hit, government computers serving a population of a half-million were crippled for six days in March 2018.
People could not pay bills and businesses could not receive payments.
The demanded payments were usually relatively small, making it easier for some executives to decide to pay.
The Indiana hospital Hancock Health paid four bitcoin -- $55,000 at the time -- in January 2018 to get its systems unfrozen.
“The defendants did not just indiscriminately ‘cross their fingers’ and hope their ransomware randomly compromised just any computer system,” said Assistant Attorney General Brian Benczkowski.
“Rather, they deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”
In addition to ransom payments, the Justice Department said, governments and businesses suffered losses of a total of $30 million in their operations.
In parallel with the indictment of the two, the US Treasury announced sanctions on two other Iranians, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who allegedly aided the hackers by managing the ransom payments by the virtual currency bitcoin.
The two helped the SamSam hackers convert the bitcoin into Iranian rials, and were identified as the people behind two digital currency addresses that handled some 7,000 bitcoin transactions.
The Treasury’s Office of Foreign Assets Control said it was the first time they had publicly attributed digital currency addresses to people being placed on their sanctions blacklist.