FBI charges 2 Iranian men in cyber extortion of U of C
Two Iranian men were charged by the U.S. Federal Bureau of Investigation on Wednesday in connection with an international computer hacking and extortion scheme that led the University of Calgary to pay a $20,000 ransom after a devastating malware attack more than two years ago.
The cyberattack crippled multiple U of C systems in May 2016 using sophisticated ransomware, which locks or encrypts computers and networks.
The university agreed at the time to pay the ransom using bitcoin, an untraceable digital currency, to ensure critical systems could be restored.
The U of C was among more than 200 victims of the scheme, which spanned nearly three years. Other targets included hospitals, municipalities and public institutions in the U.S., according to the FBI indictment.
Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both from Iran, were charged with offences including conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.
Both are considered fugitives and are wanted by the FBI.
The six-count indictment alleges that while acting from inside Iran, they deployed malware known as “SamSam Ransomware,” capable of forcibly encrypting data on victims’ computers.
Beginning in December 2015, Savandi and Mansouri are accused of accessing the computers of victims through security vulnerabilities, and installing and executing the SamSam Ransomware on the computers.
Victims were then extorted with a demand for ransom paid in bitcoin in exchange for decryption keys for the affected systems. Ransom payments collected in the virtual currency would be exchanged into Iranian rial using Iran-based bitcoin exchangers.
The indictment alleges that Savandi and Mansouri collected more than US$6 million in ransom payments, causing more than US$30 million in losses to victims.
The U of C attack happened May 27, 2016, when it is alleged Savandi and Mansouri used virtual private servers to access the university’s computer network and deployed the “SamSam Ransomware,” according to their indictment unsealed Wednesday.
That same day, authorities say, Savandi and Mansouri extorted the University of Calgary by demanding a ransom paid in bitcoin in exchange for decryption keys for the affected data.
More than 100 university computers were affected by the virus.
In a statement, U of C vice-president Linda Dalgetty thanked the FBI “for their diligence and perseverance in investigating this matter.”
“We are thankful that law enforcement agencies take such criminal acts very seriously and were able to locate the perpetrators and issue arrest warrants,” Dalgetty stated. “Students, faculty and staff showed tremendous patience and understanding as the university worked through this challenging issue, and we hope they can take satisfaction in knowing that the suspected perpetrators are being charged.”
Other victims included the cities of Atlanta, Newark and San Diego, and the Colorado Department of Transportation, according to the indictment.
It also says the hackers targeted six health care-related entities: the Hollywood Presbyterian Medical Center in Los Angeles; the Kansas Heart Hospital in Wichita; the Laboratory Corp. of America Holdings in Burlington, N.C.; MedStar Health in Columbia, Md.; the Nebraska Orthopedic Hospital in Omaha; and Allscripts Healthcare Solutions Inc., headquartered in Chicago.
“The defendants chose to focus their scheme on public entities, hospitals and municipalities. They knew that shutting down those computer systems could cause significant harm to innocent victims,” U.S. deputy attorney general Rod Rosenstein said at a news conference in Washington, D.C., on Wednesday.
“Every sector of our economy is a target of malicious cyber activity. But the events described in this indictment highlight the urgent need for municipalities, public utilities, health-care institutions, universities and other public organizations to enhance their cybersecurity.”
In addition to using Iran-based bitcoin exchangers, the indictment alleges Savandi and Mansouri also used overseas computer infrastructure to commit their attacks.