IE 11 is not supported. For an optimal experience visit our site on another browser.

Two Iranians charged in ransomware 'extortion plot' against U.S. cities, hospitals

The two men allegedly collected over $6 million in bitcoin by using malware to hold computers hostage until a ransom was paid.

Two Iranian men have been indicted on federal charges that they carried out high-profile ransomware attacks against hospitals, municipalities and public institutions across the United States in what officials called a "high-tech, sophisticated extortion plot."

Deputy Attorney General Rod Rosenstein said Wednesday that Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, hacked into computer systems and shut them down until ransom was paid. They collected more than $6 million in extortion payments in bitcoin, he said.

Image: Mohammad Mehdi Shah Mansouri
Mohammad Mehdi Shah Mansouri in an FBI most-wanted communiqué. A photo of his co-defendant, Faramarz Shahi Savandi, wasn't available. FBI

An indictment unsealed Wednesday in U.S. District Court in Newark, New Jersey, connects the dots among a series of high-profile attacks from December 2015 to just last September, when the Port of San Diego was hit, affecting its ability to process park permits and records requests.

According to the indictment, other victims, in attacks that were widely publicized at the time, included:

  • The City of Atlanta, where city business was shut down for several days last March.
  • The Colorado Transportation Department, which needed four weeks to get its financial and human resources systems back to 80 percent capacity on February.
  • Allscripts, the Chicago company that administers health records for hospitals across the country, whose systems for electronic prescriptions for controlled substances were especially hard-hit in January.

Perhaps the biggest victim of the alleged scheme was the MedStar Health system of hospitals in the Washington, D.C., area, whose computer systems were shut down in March 2016. A Washington-area woman told NBC News at the time that her husband was forced to miss three days of cancer radiation therapy because of the attack.

Including ransoms that were paid, the attacks cost more than $36 million resulting from loss of access to data, according to the indictment, which said the two men gained access to computer networks by using a form of ransomware called SamSam, also sometimes known as Samas and MSIL/SAMAS.A.

It said the attackers used a strategy more sophisticated than the standard social engineering attack known as phishing, in which attackers blast hundreds or thousands of emails hoping to lure someone into clicking on a infecting attachment.

Instead, according to the indictment, Savandi and Mansouri researched high-impact targets they deemed to be vulnerable to security shortfalls and then attacked them directly, infiltrating the systems with automated attacks that targeted multiple servers, eliminating the need to rely on the chance that a random human would push the wrong button.

"Many of the victims were public agencies with missions that involved saving lives and performing other critical missions for the American people," Rosenstein said Wednesday.

Savandi and Mansouri remain at large and were added to the FBI's most-wanted lists on Wednesday on charges of conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

Atlanta Mayor Keisha Lance Bottoms said Wednesday that the attack on her municipal systems in March were "extremely disruptive to the city."

"This has happened to people worldwide, and it's often very difficult for these perpetrators to be brought to justice," Bottoms told NBC affiliate WXIA. "I'm very thankful this might stop another municipality from experiencing what we did."