Yesterday, the United States indicted two Iranian hackers for their roles in a series of major ransomware attacks that started in 2016 and lasted almost three years. The attacks crippled schools, hospitals, the private sector, and government agencies, causing tens of millions of dollars in damage.
Ransomware has been a prominent threat to enterprises and individuals for more than a decade. Ransomware is a malicious software by which the data on a victim’s computer – or network – is held hostage by forcibly encrypting it and payment is demanded before access is returned.
In 2017 alone, the FBI’s Internet Crime Complaint Center (“IC3”) received 1,783 ransomware complaints, apparently costing victims approximately $2.3 million in ransomware payments. Those complaints, however, represent only the attacks reported to IC3. The actual number of ransomware attacks and costs are likely much higher due to the perceived stigma of reporting such attacks to law enforcement.
These attacks reflect a potential trend: whereas cybercriminals traditionally targeted personal information and other sensitive financial data for downstream monetization and use, ransomware necessitates a direct interaction between hackers and their victims that results in cash in hand for the criminal.
In yesterday’s six-count indictment, federal prosecutors in New Jersey took the rare step of announcing indictments against the two Iranian nationals, accusing them of running a multi-million dollar international hacking scheme. The indictment alleges that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, acting from inside Iran, created and deployed a sophisticated malware, known as “SamSam Ransomware,” intentionally damaging protected computer systems and illegally transmitting ransomware demands.
According to the indictment, beginning in December 2015, the two men accessed the computers of hundreds of victim companies through security vulnerabilities and installed the SamSam Ransomware. The victimized organizations included hospitals, municipalities, and public institutions, according to the indictment, including the City of Atlanta, Georgia; the City of Newark, New Jersey; the Port of San Diego, California; Hollywood Presbyterian Medical Center in Los Angeles; and the Kansas Heart Hospital in Wichita.
Savandi and Mansouri allegedly collected more than $6 million in illegal ransom payments from victims and caused damage in excess of $30 million in losses to victims.
The scale of the alleged attacks was unprecedented. For example, the March 2018 attack on Atlanta and its municipal government—now attributed to Savandi and Mansouri—is considered to be one of the most sustained and consequential cyber-attacks ever brought against a major American city. As is typically the case in ransomware attacks, the hackers’ demanded an amount the city would not balk at paying – here, about $51,000. But the attack had an enormous collateral effect – it left Atlanta’s online network in shambles for almost a week and cost nearly $3 million to repair.
Savandi and Mansouri are foreign nationals, based in Iran, making their apprehension by U.S. authorities a dicey proposition, unless the two travel to a country with an extradition treaty in place. For this reason, U.S. authorities typically do not unseal indictments against foreign nationals until they have been taken into custody, in the hope that suspects stumble into a jurisdiction where they can be arrested and extradited.
So why publicly indict two individuals who will likely remain beyond the reach of U.S. law enforcement? Put simply, rather than being aimed at apprehending these two individuals, this indictment—and the publicity around it—may be designed more as a not so subtle message to potential victims and cybercriminals about U.S. law enforcement priorities and abilities. With respect to past and present victims, the indictment is likely designed to encourage trust in law enforcement’s commitment to cybercrime as a pervasive risk. Indeed, encouraging businesses and individuals to work hand-in-hand with the F.B.I. and other authorities to identify patterns and trends in cybercrime may also facilitate an increase in enforcement against domestic and foreign hackers. And no doubt, law enforcement agencies want cybercriminals around the globe to see this indictment as the proverbial warning shot that the game is afoot, whether it be in the U.S. or farther afield.
