2 Iranian hackers charged in ransomware scheme that targeted Maryland's MedStar Health

WASHINGTON — Two Iranian computer hackers were charged Wednesday in connection with a multimillion-dollar cybercrime and extortion scheme that targeted government agencies, cities and businesses — including Maryland’s MedStar Health system — the Justice Department said.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are accused of creating ransomware known as SamSam that encrypted data on the computers of more than 200 victims, including the cities of Atlanta and Newark, New Jersey.


Starting in January 2016, the hackers were able to exploit cyber weaknesses, gain access to the victims' computers and install the ransomware remotely, prosecutors said. The hackers would then allegedly encrypt the files on the computers and demand that the victims pay a ransom in bitcoin in order to have their data unlocked.

The hackers, who are not believed to be connected to the Iranian government, were able to make about $6 million and caused the victims of the scheme to lose more than $30 million, prosecutors said.


In March 2016, an attack on the MedStar computer networks encrypted hospital data, causing staff members, patients and family members to report delays in service and confusion in treatment.

MedStar operates 10 hospitals in Maryland and D.C.

MedStar spokeswoman Ann Nickels said in a statement the group applauds the work of federal law enforcement officials in identifying the hackers.

“As we said at the time, we took immediate action to limit the impact of this attack and restore our systems,” she said in the statement. “We continued to provide safe patient care in our 10 hospitals and all of our outpatient facilities throughout this event. Then, as now, we remain focused on our core mission of providing high quality, safe patient care.”

Other victims included the Colorado Department of Transportation, the Port of San Diego and five other health care companies across the U.S., according to the Justice Department.

"SamSam ransomware is a dangerous escalation of cybercrime," said Craig Carpenito, the U.S. attorney for New Jersey, where Wednesday's indictment was unsealed. "This is a new type of cybercriminal. Money is not their sole objective. They are seeking to harm our institutions and our critical infrastructure."

Breaking News Alerts

Breaking News Alerts

As it happens

Be informed of breaking news as it happens and notified about other don't-miss content with our free news alerts.

The Justice Department would not say whether any of the municipalities paid the ransom. The Atlanta Journal-Constitution reported in April that Atlanta entered into emergency contracts worth $2.7 million to help restore the city's computer network after the attack.

The hacking scheme was sophisticated not only because it targeted public institutions but because the hackers targeted the entities after business hours and used European-based servers to launch the remote attacks, Carpenito said.


The two men remained fugitives and were believed to be in Iran. Although the U.S. does not have an extradition treaty with Iran, the Justice Department expressed some confidence that the men may one day face the inside of a U.S. courtroom.

"American justice has a long arm and we will wait and eventually we're confident that we will take these perpetrators into custody," Deputy Attorney General Rod Rosentein said.


Baltimore Sun reporter Sarah Meehan contributed to this article.

Copyright 2018 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.