Two Iranian men indicted in CDOT ransomware attack that disrupted computers for weeks

Men face charges related to hacking in US, Canada
Posted at 12:02 PM, Nov 28, 2018
and last updated 2018-11-28 14:58:59-05

DENVER – Two Iranian men have been indicted by a federal grand jury in New Jersey for the ransomware attacks on the Colorado Department of Transportation that disrupted the department in February and March and cost the state more than $1 million to clean up.

Faramarz Shahi Savandi, 24, and Mohammad Mehdi Shah Mansouri, 27, each face six total counts, including conspiracy to commit fraud with computers, conspiracy to commit wire fraud, two counts of intentional damage to a protected computer and two counts of transmitting a demand in relation to damaging a protected computer, according to the indictment unsealed Wednesday and returned earlier this week in the U.S. District Court of New Jersey.

According to the indictment, Mansouri and Savandi ran the alleged hacking scheme out of Iran by using Bitcoin, two exchangers, the Tor private network and virtual private servers hosted in Europe.

They allegedly victimized more than 200 hospitals, businesses, government agencies, schools and others in the U.S. and Canada, extorting them for more than $6 million in ransom payments starting in December 2015 and continuing up through Sept. 25 of this year.

Among the ransomware attacks the pair are blamed for are the two attacks on CDOT that started in February this year and were not resolved until at least a month later.

The indictment alleges that Savandi and Mansouri deployed their SamSam Ransomware attack on CDOTs computers starting on Feb. 19, taking over the department’s computer network and encrypting the computers. The two allegedly demanded a ransom be paid in Bitcoin in exchange for decryption keys that would unlock the network.

Prosecutors allege the goal of the two was to make money for themselves by taking over the selected computer networks and forcing the infected entities to pay the Bitcoin ransoms.

The pair started out with basic ransomware techniques but developed their craft over time to be more sophisticated and “more difficult to analyze,” the indictment says.

They would scout computer networks by using the masked private servers, often conducting reconnaissance on the networks for weeks before initiating the ransomware attacks early on in their operation, the indictment says. But by 2018, the pair were deploying the SamSam ransomware “within hours” of hacking into networks, according to the indictment.

Once the networks were infected, the alleged hackers would demand ransoms with notes saying the decryption keys would be permanently deleted after seven days. They would create specific websites for each victim to communicate.

The indictment doesn’t say that every infected entity paid the ransom, however. But those who did eventually gave the alleged hackers more than $6 million in Bitcoin, which was then exchanged into Iranian rial through two unidentified exchangers, the indictment alleges.

Many of the attacks occurred in 2016, though prosecutors identified at least four that happened in 2017, including several in New Jersey off which many of the charges are based.

The pair allegedly hit Chicago-based Allscripts Healthcare Solutions, Inc. in January of this year and received a ransom payment, which had been converted into rial by Feb. 18. The next day, the indictment alleges, Savandi and Mansouri accessed and attacked the CDOT system.

CDOT reported two separate attacks in February that forced 2,000 CDOT employees off their computers. The department reported at the time it would not be paying the ransom and said that no construction projects were disrupted by the attack, nor were road signs affected.

A group of contract workers were forced to stop work for weeks while the attack was ongoing.

By April, state officials said 80 percent of functionality had been restored and that the cleanup had cost $1.5 million.

Others affected by the ransomware weren’t as lucky, according to the indictment, which says that in total, the victims in the case “incurred additional losses exceeding $30 million resulting from the loss of access to their data.”

CDOT confirmed Wednesday that it never paid the ransom because its backup systems were not accessible to the hackers and said that traffic operations were never affected.

"Today’s indictment shows how seriously we take this type of criminal activity," said Colorado Governor's Office of Information Technology Chief Information Security Officer Deborah Blyth in a statement. "We want to thank the FBI for their partnership and commitment to prosecuting the malicious actors who are responsible for these devastating cyber attacks."

Per the counts, the government hopes to seize any proceeds or property Savandi and Mansouri made off the alleged hacking.

“The allegations in the indictment unsealed today – the first of its kind – outline an Iran-based international computer hacking and extortion scheme that engaged in 21st century digital blackmail,” U.S. Assistant Attorney General Brian Benczkowski said in a statement.

The FBI issued wanted notices for the two on Wednesday and said they both live in Tehran. The wanted poster asks anyone with information about the two to contact their local FBI office or the nearest American embassy or consulate.

This is a developing news story and will be updated.