Two Charged In Massive Ransomware “Extortion Plot”

On November 28, 2018, Deputy Attorney General Rod Rosenstein announced that two Iranian men, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, had been charged in a massive ransomware attack in which they collected over $6 million in extortion payments in the form of bitcoin. An indictment on federal charges unsealed in United States District Court in Newark, New Jersey, paints a picture of the two men committing a series of high-profile ransomware attacks from December 2015 to September 2018. These attacks hit hospitals, municipalities and public institutions scattered around the U.S.

Victims of the attacks include the Port of San Diego, the City of Atlanta, the City of Newark, the University of Calgary, the Colorado Transportation Department, Allscripts, and MedStar Health hospital system. The Port of San Diego was left temporarily unable to process park permits or records requests, but recovered their systems through backups. The City of Atlanta was left crippled for over a week after the attackers demanded payment of $52,000. Instead of paying the ransom, Atlanta choose to restore its system from backups, which cost more than $2 million to carry out. In February 2018, the Colorado Transportation Department, which also refused to pay the demanded ransom, required four weeks of work and $1.5 to $2 million to get their systems back to 80% functionality, and many more weeks to return to 100%. MedStar Health systems were down for several days after the hackers were able to infiltrate their system due to a recognized design flaw (for which patches and/or a self-help fix of code deletion were available) in JBoss, an application server used by MedStar. MedStar also got their systems back up and running through backups, and refused to pay the demanded $19,000 ransom. In the attack, MedStar’s patient healthcare information was held hostage, but MedStar has confirmed that there has been no evidence that this information has been misused.

Savandi and Mansouri remain on the loose and have recently been added to the FBI’s most wanted list. This series of large-scale and high-profile attacks by cyber criminals underscores the importance of protecting data and taking all necessary technology-related security measures. Not adequately protecting data and IT systems can lead to an attack like the ones faced by these entities, loss of potentially millions of dollars, and violations of the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and numerous state data liability laws. If you have questions or concerns about any such laws or about the security of your data, contact an attorney experienced in the fields of data security and liability.