WASHINGTON — The Justice Department unsealed charges Wednesday against two Iranian criminal hackers who allegedly used ransomware to hit American hospitals, universities, government agencies and the city of Atlanta, causing tens of millions of dollars in damages.
In all more than 200 victims were affected, more than $6 million in ransom collected and damages exceeded $30 million, officials said. Ransomware encrypts data on affected systems, with an offer to decrypt if a ransom is paid.
This is the first time federal prosecutors are bringing charges against hackers for using ransomware with Bitcoin exchanges, according to officials. Bitcoin exchanges transfer traditional currencies into Bitcoin, or Bitcoin into traditional currencies.
The 25-page indictment charges that the hackers’ scheme was for their own personal profit, and was not government directed.
The defendants, Faramarz Shah Savandi and Mohammad Mehd Shah Mansouri, were charged with conspiring to hack victims between December 2015 and this month. The suspects are believed to be in Iran.
A ransomware called SamSam was used in attacks against Atlanta, the Colorado Department of Transportation and several health care institutions. The ransomware, first identified in 2015, gained prominence after it afflicted Atlanta in March, hobbling computers in the court system, shutting down the Wi-Fi at the international airport, preventing residents from paying their water bills online, and forcing the police for several days to file police reports on paper instead of electronically.
Though Atlanta refused to pay the anonymous hackers $51,000 in ransom, recovering from the attack is estimated to have cost the city’s taxpayers more than $9 million.
The SamSam ransomware was not as well-known as WannaCry, a computer virus paired with ransomware that in May 2017 affected more than 300,000 computers in 150 countries. But in some ways, it is more sophisticated. WannaCry, which U.S. officials said was created by North Korea, spread on the open internet and hit targets indiscriminately.
With SamSam, by contrast, the hackers chose targets that were vulnerable and then infiltrated their networks, pre-positioning the ransomware on key servers before triggering it — a technique that enabled them to inflict maximum damage immediately, according to officials and cybersecurity experts.
SamSam differs from other ransomware because it does not rely on phishing to infiltrate a system, but uses other techniques, including what security officials call brute-force attacks to guess weak passwords.
But it shares one key attribute with WannaCry, said cyber experts. Both utilize a potent cyber tool developed by the National Security Agency that was breached and wound up on the open internet: EternalBlue. The “exploit,” as hackers call it, takes advantage of a software flaw in some Microsoft Windows operating systems, helping attackers gain access to those computers.
Although Microsoft, after being notified by the NSA, issued a patch for the flaw in March 2017, many companies around the world and some in the United States failed to update their machines and fell victim to WannaCry last year.
The hackers who developed SamSam at some point incorporated EternalBlue into the malware. “SamSam was far more potent with EternalBlue,” said Jake Williams, founder of the cybersecurity company Rendition Infosec. “Their capabilities increased dramatically with it.”
Other ransomware has also used EternalBlue, showing how these exploits, once released, can be picked up by anyone — criminals or nation states. And it has raised questions about how agencies such as the NSA protect their hacking tools.