2 Iranians indicted in ransomware attacks. Targets included an L.A. hospital and San Diego’s port

The Port of San Diego was the latest target in a series of cyberattacks in which, authorities say, two men used malware to freeze computer data, then demanded ransom.
(Howard Lipin / San Diego Union-Tribune)
San Diego Union-Tribune

A federal grand jury has indicted two Iranian men on a charge of orchestrating a widespread ransomware cyberattack scheme targeting U.S. cities, hospitals and transportation agencies, including Hollywood Presbyterian Medical Center and the Port of San Diego.

The indictment charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with launching cyberattacks using malware known as SamSam to freeze data on computers. The men then demanded payment in the cybercurrency bitcoin to unlock the data, it says.

Authorities said Savandi and Mansouri collected more than $6 million in ransom payments and caused $30 million in additional damages in attacks that began in December 2015. Both men reside in Iran and have not been arrested.


“The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st century digital blackmail,” said Brian Benczkowski, assistant attorney general with the U.S. Justice Department. “These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them.”

Hackers seized control of Hollywood Presbyterian Medical Center’s computers in February 2016, locking systems, encrypting files and disrupting hospital administrative functions. The attack forced the hospital to use pen and paper for its record-keeping.

To regain the use of the computers, Hollywood Presbyterian paid a ransom of 40 bitcoin, worth about $17,000 at the time.

The attack on the Port of San Diego took place just two months ago. The port reported the ransomware attack Sept. 25, and said it limited access to permits and public documents for a few days. Computers that handled administrative functions for the Harbor Police also were affected.

The port declined to comment on whether it paid the ransom, and Justice Department officials on Wednesday also declined to identify which victims opted to pay.

According to the indictment, the city of Atlanta; the city of Newark, N.J.; the Colorado Department of Transportation; and the University of Calgary in Canada were among the government entities attacked.


In addition to Hollywood Presbyterian, healthcare facilities including Kansas Heart Hospital; MedStar Health in Maryland; Nebraska Orthopedic Hospital; and Allscripts Healthcare Solutions in Chicago were victims.

Savandi and Mansouri created the first version of SamSam in late 2015 and further refined the ransomware in June and October 2017, according to the indictment. It says the men used sophisticated online reconnaissance to select potential targets and disguised their attacks to appear like legitimate network activity.

Freeman writes for the San Diego Union-Tribune.


1:40 p.m.: This article was updated with more information about the attack on Hollywood Presbyterian Medical Center.

This article was originally published at 12:10 p.m.