KUSA — The Iranian hackers who investigators said held the Colorado Department of Transportation’s computer network for ransom earlier this year have been indicted for this and a string of other attacks that ultimately netted $6 million in bitcoin payments.
Faramarz Shahi Savandi, 27, and Mohammad Mehdi Shah Mansouri, 34, have been charged with conspiracy to commit fraud and related activity in connection with computers, conspiracy to commit wire fraud, intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer, according to an indictment that was handed down in federal court earlier this week.
CDOT was one of multiple victims in the series of attacks, which began in December 2015, according to the indictment. Other notable victims include the city of Atlanta, city of Newark, multiple hospitals, the University of Calgary and the Port of San Diego.
Some CDOT computers were first infected with ransomware on Feb. 19 of this year, according to the indictment. Security tools detected the problem, and staff quarantined the virus to keep it from spreading, Colorado Chief Technology Officer David McCurdy said at the time.
It took four weeks to get systems 80 percent functional, Apr. 13 to get 97 percent and May 4 to get to 100 percent, according to the Governor's Office of Information and Technology.
“The four weeks many of us sat in this command center, day and night, just wanting to hear that we know where it is, we’ve got a contained," said Dan Santangelo, Chief Operating Officer of the Governor's Office of Information and Technology. “A week later we had security controls that we were planning to implement. If this had happened a week, or even a week and a half later, this likely would not have occurred or provided the impact that it did.”
The attack mainly hit the computers used for financial and HR purposes – which caused some difficulties paying workers and left some employees resorting to using a pen and paper.
The ransomware demanded that CDOT pay the hackers in bitcoin, which the state refused to do.
“Knowing or thinking about where that money may be going, and if you are funding any other type of criminal activity, which is, in this scenario, very likely, is something that you try and steer away from. No, we would not consider paying a ransom." said Santangelo. "If you pay the ransom, you may not even get access to your data. You may not get anything in return.”
Santangelo would not say how much the ransom was for, but said it cost the state $1.5 to $2 million to fix the issues.
"The money really comes from emergency funding that we have," said Santangelo. "Any type of emergency event."
Other victims of the so-called “SamSam Ransomware” did and this ultimately netted the suspects $6 million, the indictment said. That’s in addition to an estimated $30 million in lost productivity, since the attacks all-but crippled many of the businesses and agencies that were targeted.
Each infected computer displayed a ransom note that told the victim their files were now encrypted, and they would have to pay Bitcoin to get the decryption keys, according to the indictment. The victims were given a webpage to communicate with the defendants -- at times requiring agencies to access the Tor network, or so-called "dark web."
In some cases, the ransom note contained an ominous “countdown clock” until files would be deleted.
Once the hackers received bitcoin payments, the indictment alleges, they would periodically exchange those with the Iranian currency rial.
In wake of the indictment, Mansouri and Savandi are now on the FBI’s wanted list. According to a bulletin posted to the bureau’s website, the two men speak Farsi and are believed to live in Tehran, Iran.
According to a news release from the FBI, the suspects are currently out of reach of U.S. law enforcement, but can be apprehended if they travel and the U.S. is "currently exploring other avenues of recourse."