DOJ announces first-of-its-kind indictment for ransomware attack

BY Brenda Flanagan, Senior Correspondent |

Two Iranian cybercriminals attacked the City of Newark’s computer systems last April. They used a sophisticated ransomware program called “SamSam” to remotely lock its files and demand a ransom payment in Bitcoin — worth about $30,000 — as part of a criminal scheme that extorted $6 million from 200 victims nationwide, according to a six-count indictment announced Wednesday.

“They deliberately engaged in an extreme form of 21st century digital blackmail — attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” said Assistant Attorney General Brian Benczkowski of the Criminal Division of the Department of Justice.

“They’re trying to impact our way of life. They’re hitting the most critical targets because they want to maximize their targets, but they’re also trying to maximize the damage that they can do,” said U.S. Attorney for New Jersey, Craig Carpenito.

“I didn’t even know what a Bitcoin was, in full transparency, until we were actually hacked,” Newark Mayor Ras Baraka said.

Baraka said the city called the FBI for help when it received the digital ransom note which demanded “… 24 BitCoins to receive ALL private keys for ALL affected PC’s.” It included a doomsday countdown clock that gave Newark seven days to pay or “… we will remove your private keys and it’s impossible to recover your files.” Baraka said Newark paid.

“Because if they’ve seized things that you actually need — like payroll, like 911, like 4311 and other things — you can’t operate at all unless you go on the dark web, purchase some Bitcoins and pay these people. So they do have city money because we had to continue to function,” Baraka said.

This first ever indictment for ransomware hacking names two computer hackers who live in Iran, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, who allegedly used European servers and an anonymous cyber-highway called the Tor network. Their many alleged victims included Newark, the City of Atlanta, the Port of San Diego, and LA’s Hollywood Presbyterian Hospital.

“The criminals believed they were masking their identities on the dark web. However, this case shows that anonymizers may not make you as anonymous as you think you are. They used Bitcoin to avoid detection, but this case shows the digital currency can be traceable,” said FBI Executive Assistant Director Amy Hess.

The FBI encouraged businesses and public entities to resist paying and call the feds if they’re hit by a ransomware attack, but admitted most just pay to get their data back. They urged organizations to harden their systems.

“But perhaps even more importantly, to make sure they have backups, because we found out some victims in this case were able to recover their systems they had the appropriate backups,” said U.S. Deputy Attorney General Rod Rosenstein.

“Particularly because we’re trying to digitize almost every function in the city, it becomes more important for us to have the security we need, and protection,” Baraka said.

The deputy attorney general said there’s no evidence the Iranian government had any involvement with the alleged scheme. The defendants are now fugitives from American justice — the United States has no extradition treaty with Iran.