- The Department of Justice indicted two Iranian hackers behind the targeted and highly successful SamSam ransomware campaign that has plagued the healthcare sector for several years.
The federal prosecutors charged Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi for an extortion scheme that targeted a wide range of organizations, especially the healthcare sector.
Assistant Attorney General Brian A. Benczkowski explained the hackers were responsible for some of the biggest hacks on the healthcare sector in the last two years: Allscripts, medical testing giant LabCorp, Washington, DC-based MedStar Health, Nebraska Orthopedic Hospital, Hancock Health and a host of others.
The notorious SamSam variant has been actively targeting the healthcare sector and the government since 2016. DOJ officials allege the most recent ransomware attack took place on Sept. 25, 2018.
The hackers primarily use brute force attacks on Remote Desktop Services to gain access onto a victim’s system. They’d use the RDP as an entry point onto a system to then infect other computers on the network. The defendants would also mask attacks to appear like legitimate network activity.
Further, the hackers purposefully launched attacks outside of regular business hours, “when a victim would find it more difficult to mitigate the attack, and by encrypting backups on the victims’ computers.”
“This was intended to—and often did—cripple the regular business operations of the victims,” according to the indictment.
Their ransom demands ranged from $5,000 to $60,000, depending on the attack size. While typically ransomware attacks are random, SamSam hackers leveraged a targeted and manual nature and heavily researched victims before launching an attack.
The method proved successful as the hacking group banked at least $6 million in ransom payments and caused more than $30 million in damages for its 200 victims.
“The allegations in the indictment unsealed today—the first of its kind – outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” Benczkowski said in a statement.
“The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private entities hostage and then extort money from them,” U.S. Attorney for New Jersey Craig Carpenito said in a statement.
The hackers began by targeting a Mercer County business, then moved to public entities like the city of Newark and specifically healthcare providers including Kansas Heart Hospital in Wichita and the Hollywood Presbyterian Medical Center in Los Angeles, Carpenito explained.
In fact, DOJ officials allege the hackers targeted healthcare as the organizations rely on data to serve the public without interruption.
“By calling out those who threaten American systems, we expose criminals who hide behind their computer and launch attacks that threaten our public safety and national security,” FBI Executive Assistant Director said in a statement.
“The actions highlighted today, which represent a continuing trend of cybercriminal activity emanating from Iran, were particularly threatening, as they targeted public safety institutions, including U.S. hospital systems and governmental entities,” she added.
DOJ charged Savandi and Mansouri with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer.
The indictment is not an admission of guilt and the two hackers are still at large. In a separate announcement, the Department of the Treasury imposed sanctions against two bitcoin addresses connected to SamSam. The two addresses processed over 7,000 ransom demands from its victims.
Savandi and Mansouri are still wanted by the FBI, so it’s yet to be seen if the SamSam attacks will continue. However, the indictment sheds light on some of the biggest healthcare breaches in recent years.