2 Iranian Men Indicted in Ransomware Attack on Port of San Diego

11/28/2018 – City News Service

Two Iranian men are facing federal charges for allegedly masterminding an international computer hacking scheme that used “SamSam” ransomware to attack the Port of San Diego and Hollywood Presbyterian Medical Center, the Justice Department announced Wednesday.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, were indicted by a federal grand jury in Newark, New Jersey, for the scheme that caused more than $30 million in losses and allowed the alleged hackers to collect over $6 million in ransom payments, according to the DOJ.

The six-count indictment, unsealed Wednesday, alleges that Savandi and Mansouri, acting from inside Iran, authored malware capable of forcibly encrypting data on the computers of more than 200 victims.

The Port of San Diego revealed in September that it was working with federal law enforcement to find the culprit behind a cybersecurity attack that took place weeks earlier. The attack had temporary impacts on business services, park permits and public records requests, a port spokeswoman said.

Ransomware was used in the attack and included a note requesting payment in Bitcoin. While some of the port’s information technology systems were compromised, staff proactively shut down other systems to avoid further problems, the spokeswoman said.

In February 2016, Hollywood Presbyterian announced it had paid a ransom of about $17,000 in Bitcoin to restore its electronic medical record system after a cyber-attack that crippled its computer system but did not compromise patient care or patient and employee personal information. The attack prevented hospital staff from accessing selected computer systems and blocking electronic communications, medical center officials said.

According to prosecutors, starting in December 2015, Savandi and Mansouri allegedly accessed victim computers through security vulnerabilities and installed the SamSam Ransomware. They then allegedly demanded ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collected payments and exchanged the Bitcoin into Iranian currency using Iran-based Bitcoin exchangers.

Assistant U.S. Attorney General Brian A. Benczkowski described the scheme as “21st-century digital blackmail” in which the defendants allegedly used ransomware to “infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them.”

Savandi and Mansouri are charged with one count each of conspiracy to commit wire fraud and conspiracy to commit fraud and related activity in connection with computers, and two substantive counts each of intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

The DOJ alleged that the men disguised the hacks to appear like legitimate network activity, launching attacks outside regular business hours, when victims would find it more difficult to fix the problem, and by encrypting backups of the victim computers.

— City News Service
Article originally published at https://timesofsandiego.com/crime/2018/11/28/2-iranian-men-face-federal-charges-in-cyber-attack-on-port-of-san-diego/