2 Iranian men indicted for ransomware cyberattacks on U.S. targets, including Port of San Diego

A federal grand jury has indicted two Iranian men for orchestrating a widespread ransomware cyberattack scheme that targeted U.S. cities, hospitals and transportation agencies, including the Port of San Diego.

The indictment charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with launching cyberattacks using malware known as SamSam to freeze data on computers. The men then demanded payment in cybercurrency known as bitcoin to unlock the data.

Authorities said Savandi and Mansouri collected more than $6 million in ransom and caused $30 million in damages in attacks that began in early 2016. Both men reside in Iran and have not been arrested.

“The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski in a statement.

The Port of San Diego reported a ransomware attack on Sept. 25. The malware limited access to permits and public documents for several days. Computers that handled administrative functions for the Harbor Police also were affected.

The port refused to pay the ransom demand, said spokeswoman Tanya Castaneda. It did not permanently lose its data.

“The port had followed prior FBI guidance with the implementation of strong security practices, including a backup system for electronic information, which enabled us to recover data and not pay the ransom,” she said.

When the attack occurred, the port was in the process of upgrading its information technology infrastructure but improvements were not fully implemented. It is unclear whether full deployment would have prevented the attack, said Castaneda.

“While we are a commercial port, we have the additional special designation of Strategic Port for the U.S. Department of Defense,” she said. “Clearly, the Port of San Diego was seen as a high-value target.”

The port oversees 34 miles of San Diego Bay waterfront property. It plays a key role in public safety with the Harbor Police and the operation of cargo and cruise terminals. It houses 800 businesses, including shipbuilder General Dynamics-NASSCO.

“We applaud the U.S. Department of Justice and the FBI for conducting this complex and sophisticated investigation,” said Randa Coniglio, chief executive of the port, in a statement. “We are very pleased to see these enforcement efforts against international computer hacking and extortion scammers.”

According to the indictment, Atlanta, Newark, the Colorado Department of Transportation and the University of Calgary were among the public entities attacked.

In addition, six health care facilities were targets -- Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital; MedStar Health in Maryland; Nebraska Orthopedic Hospital; Allscripts Healthcare Solutions in Chicago; and LabCorp of America, a North Carolina clinical lab network operator.

“This is a new type of cybercriminal. Money is not their sole objective,” said Craig Carpenito, U.S. Attorney in New Jersey who is prosecuting the case. “They are seeking to harm our institutions and critical infrastructure.”

In all, prosecutors say there were 200 victims across 10 states. Savandi and Mansouri allegedly focused on municipalities and hospitals where losing data would cripple operations – boosting their leverage to extort money.

The indictment provides a look into how cybercriminals operate. The men created the first version of the SamSam ransomware in late 2015 and regularly improved it to maximize damage, according to the indictment.

In Atlanta, the malware attack last spring shut down city services, including courts, online bill pay and computer systems for city workers. The ransom demand reportedly was around $50,000. The city spent about $2.7 million on computer security services after the attack.

Savandi and Mansouri conducted extensive online reconnaissance to select targets, according to the indictment. Once the malware was launched, it encrypted data and then delivered a note demanding bitcoin to receive a decryption key.

The note typically threatened to permanently delete the de-coder key after seven days. The men created web pages on the anonymous Tor network to communicate with victims. They even sought to reassure victims that the decryption key worked.

“Check our site. You can upload 2 encrypted files and we will decrypt your files as a demo,” according to one ransom note attached to the indictment.

The charges were filed Wednesday in U.S. District Court in New Jersey. They include conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand to extort money.

“We want to get the word out that every sector of our economy is a potential target of malicious cyberactivity, said Benczkowski, the assistant attorney general. “The events described in this indictment highlight the need for businesses, healthcare institutions, universities, and other entities to emphasize cybersecurity, increase threat awareness, and harden their computer networks.”

mike.freeman@sduniontribune.com;

Twitter:@TechDiego

760-529-4973