Justice Department indicts two Iranians over SamSam ransomware attacks

An example of the SamSam ransom note (Image: SecureWorks)

U.S. federal prosecutors have indicted two Iranian nationals for creating and deploying the notorious SamSam ransomware.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were indicted by a federal grand jury in New Jersey on Monday on several counts of computer hacking and fraud charges. The case was unsealed Wednesday, shortly before a press conference announcing the charges by U.S. deputy attorney general Rod Rosenstein.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Rosenstein. “According to the indictment, the hackers infiltrated computer systems in ten states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

Among those victims included the City of Atlanta, which was knocked offline earlier this year, and projected to spend at least $2.6 million in recovery following a SamSam infection. It was later discovered that the city’s computers had long been vulnerable to leaked exploits developed by the National Security Agency — later stolen and leaked online for anyone to use.

Other victims included clinical lab testing giant LabCorp, the City of Newark, New Jersey, and the Port of San Diego, attacked in late-September — which prosecutors said was the most recent attack.

Several city municipalities, hospitals and medical centers were also hit by the ransomware.

In total, SamSam has generated some $6 million in proceeds to date — or 1,430 bitcoin at today’s value.

In a separate announcement, the Treasury said it had imposed sanctions against two bitcoin addresses associated with the ransomware. The department said the two addresses processed more than 7,000 transactions used to collect ransom demands from victims.

Prosecutors said that nearly every U.S. state had at least one victim — some, including most of the eastern seaboard, had more than six victims.

According to the indictment, Savandi and Mansouri created SamSam in late-2015 and refined it over the following two years. The two allegedly conducted reconnaissance to try to determine potential victims, and launched attacks outside business hours to maximize the damage by preventing mitigations.

Justice Department prosecutors say that the SamSam infections caused $30 million in losses and damages.

As Iranian nationals and residents, it’s unlikely that the two will ever face justice in the U.S., but the indictments serve as a “name and shame” effort employed by the Justice Department in recent years.

The indictments likely won’t result in extraditions or convictions, but does make it difficult for the alleged ransomware authors to travel freely — running the risk of being detained in a country that has an extradition policy with the U.S.

Savandi and Mansouri remain wanted by the FBI.