US indicts Iranians over ransomware attacks worth $6 million

The pair made systems inaccessible until the owners paid ransoms in Bitcoin

epa07195220 US Deputy Attorney General Rod Rosenstein announces the indictment of two Iranians in the SamSam Ransomware attack at the Department of Justice in Washington, DC, USA, 28 November 2018. The computer ransomware attack targeted multiple hospitals, municipalities and public institutions, including the city of Atlanta, according to the indictment.  EPA/ERIK S. LESSER

The US on Wednesday imposed cyber-related sanctions on two Iranians it said had helped exchange digital Bitcoin currency obtained from ransom payments into Iranian riyal and charged two Iranian hackers involved in a ransomware conspiracy that netted them millions of dollars.

More than 7,000 transactions in Bitcoin had been traced to two digital currency addresses operated by the first two men, according to the Treasury.

Naming them as Ali Khorashadizadeh and Mohammad Ghorbaniyan, the Treasury's Office of Foreign Assets Control (Ofac) said the conspiracy involved the SamSam ransomware scheme where hackers targeted electronic systems at American hospitals, universities and government agencies.

Their digital currency addresses are the first to be publicly attributed to persons placed on a US sanctions blacklist, Ofac said.

“Treasury is targeting digital currency exchangers who have enabled Iranian cyber actors to profit from extorting digital ransom payments from their victims,” said Treasury under secretary for terrorism and financial intelligence Sigal Mandelker.

“As Iran becomes increasingly isolated and desperate for access to US dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes.”

Sigal P. Mandelker, the undersecretary for terrorism and financial intelligence at the U.S. Treasury, talks to journalists at a press briefing in Dubai, United Arab Emirates, Thursday, July 12, 2018. A top U.S. official focused on sanctions on Iran linked American financial pressure on Tehran with the ongoing economic protests roiling the Islamic Republic. (AP Photo/Kamran Jebreili)

Such exchanges transfer traditional currencies into Bitcoin, or Bitcoin into traditional currencies.

Criminal ransomware activity relies on electronic capability to encrypt data on mainframe style systems. The conspirators then offer to decrypt the data in return for payment.

“Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber to further their nefarious objectives,” Ms Mandelker added.

In a related action the Justice Department indicted two different Iranians for infecting data networks with SamSam ransomware in the US, Britain and Canada since 2015.

According to the indictment, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, both operating in Iran, authored and deployed SamSam ransomware to hack into networks.


Read more:

US Congress finalises bill on sanctioning Iranian-backed militias in Iraq

Iraq seeks power revamp to head off sanctions and protests

Sadr demands swift government formation, urging fresh nominations for key posts


Their targets included the US cities of Newark and Atlanta, the port of San Diego, Colorado's Transportation Department as well as a hospital and a medical laboratory.

“The defendants' objective allegedly was to prevent these victims from accessing or using data on the compromised computers, forcing them to shut down or dramatically curtail their operations,” the Justice Department said.

“According to the indictment, the defendants then extorted ransom payments from their victims by threatening otherwise to delete the decryption keys needed to unlock the compromised computers,” it added.

In total, the defendants allegedly hacked and extorted more than 200 victims, and collected more than $6 million in criminal proceeds, according to the charges. The victims also incurred additional losses exceeding $30 million because they were unable to access their data.

FILE: A coin representing Bitcoin cryptocurrency sits on a computer circuit board in this arranged photograph in London, U.K., on Tuesday, Feb. 6, 2018. The great cryptocurrency crash of 2018 is heading for its worst week yet. Bitcoin sank toward $4,000 and most of its peers tumbled on Friday, extending the Bloomberg Galaxy Crypto Index’s weekly decline to 25 percent. That’s the worst five-day stretch since crypto-mania peaked in early January. Photographer: Chris Ratcliffe/Bloomberg

The 25-page indictment charges that the hackers' scheme was for their own personal profit, and was not government directed.

Both men are believed to be in Iran and are considered fugitives from justice, US officials said.

The Treasury and Justice departments' announcements came shortly before the US Special Representative for Iran Brian Hook said he would on Thursday deliver remarks and showcase evidence about Tehran's transfer of arms to proxy groups and issue an update on the regime's latest ballistic missile work.

“This display contains clear and tangible evidence that the Iranian regime is arming dangerous groups with advanced weapons, and spreading instability and conflict in the region, which poses a threat to international peace and security,” the State Department said in advance of the briefing to take place at a military base in southeast Washington DC.

The three separate announcements are the latest sign of the Trump administration's efforts to sanction individuals or entities in Iran.