{
	"id": "e1fcf702-8d6b-4b2f-8fb8-a51cc2b3cc50",
	"created_at": "2026-04-06T01:31:55.022271Z",
	"updated_at": "2026-04-10T03:20:05.00681Z",
	"deleted_at": null,
	"sha1_hash": "d3485dcb2495886e204851d1dcf3761316c20286",
	"title": "Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43167,
	"plain_text": "Two Iranian Men Indicted for Deploying Ransomware to Extort\r\nHospitals, Municipalities, and Public Institutions, Causing Over\r\n$30 Million in Losses\r\nPublished: 2018-11-28 · Archived: 2026-04-06 00:57:16 UTC\r\nA federal grand jury returned an indictment unsealed today in Newark, New Jersey charging Faramarz Shahi\r\nSavandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, in a 34-month-long international computer\r\nhacking and extortion scheme involving the deployment of sophisticated ransomware, announced Deputy\r\nAttorney General Rod J. Rosenstein, Assistant Attorney General Brian A. Benczkowski of the Justice\r\nDepartment’s Criminal Division, U.S. Attorney Craig Carpenito for the District of New Jersey and Executive\r\nAssistant Director Amy S. Hess of the FBI.\r\nThe six-count indictment alleges that Savandi and Mansouri, acting from inside Iran, authored malware, known as\r\n“SamSam Ransomware,” capable of forcibly encrypting data on the computers of victims.  According to the\r\nindictment, beginning in December 2015, Savandi and Mansouri would then allegedly access the computers of\r\nvictim entities without authorization through security vulnerabilities, and install and execute the SamSam\r\nRansomware on the computers, resulting in the encryption of data on the victims’ computers.  These more than\r\n200 victims included hospitals, municipalities, and public institutions, according to the indictment, including the\r\nCity of Atlanta, Georgia; the City of Newark, New Jersey; the Port of San Diego, California; the Colorado\r\nDepartment of Transportation; the University of Calgary in Calgary, Alberta, Canada; and six health care-related\r\nentities: Hollywood Presbyterian Medical Center in Los Angeles, California; Kansas Heart Hospital in Wichita,\r\nKansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in\r\nBurlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic\r\nHospital now known as OrthoNebraska Hospital, in Omaha, Nebraska and Allscripts Healthcare Solutions Inc.,\r\nheadquartered in Chicago, Illinois.\r\nAccording to the indictment, Savandi and Mansouri would then extort victim entities by demanding a ransom paid\r\nin the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collecting ransom payments\r\nfrom victim entities that paid the ransom, and exchanging the Bitcoin proceeds into Iranian rial using Iran-based\r\nBitcoin exchangers.  The indictment alleges that, as a result of their conduct, Savandi and Mansouri have collected\r\nover $6 million USD in ransom payments to date, and caused over $30 million USD in losses to victims.\r\n“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more\r\nthan 200 victims,” said Deputy Attorney General Rosenstein.  “According to the indictment, the hackers infiltrated\r\ncomputer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state\r\nagencies, city governments, hospitals, and countless innocent victims.”\r\n“The allegations in the indictment unsealed today—the first of its kind—outline an Iran-based international\r\ncomputer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney\r\nGeneral Benczkowski.  “These defendants allegedly used ransomware to infect the computer networks of\r\nhttps://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public\r\nPage 1 of 3\n\nmunicipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded\r\nmillions of dollars in payments from them. As today’s charges demonstrate, the Criminal Division and its law\r\nenforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and\r\ninstitutions, regardless of where those criminals may reside.”\r\n“The defendants in this case developed and deployed the SamSam Ransomware in order to hold public and private\r\nentities hostage and then extort money from them,” said U.S. Attorney Carpenito.  “As the indictment in this case\r\ndetails, they started with a business in Mercer County and then moved on to major public entities, like the City of\r\nNewark, and healthcare providers, like the Hollywood Presbyterian Medical Center in Los Angeles and the\r\nKansas Heart Hospital in Wichita—cravenly taking advantage of the fact that these victims depend on their\r\ncomputer networks to serve the public, the sick, and the injured without interruption.  The charges announced\r\ntoday show that the U.S. Attorney’s Office for the District of New Jersey will continue to act to disrupt such\r\ncriminal acts, and identify those who are responsible for them, no matter where in the world they may seek to\r\nhide.”\r\n“This indictment demonstrates the FBI’s continuous commitment to unmasking malicious actors behind the\r\nworld’s most egregious cyberattacks,” said Executive Assistant Director Hess.  “By calling out those who threaten\r\nAmerican systems, we expose criminals who hide behind their computer and launch attacks that threaten our\r\npublic safety and national security.  The actions highlighted today, which represent a continuing trend of cyber\r\ncriminal activity emanating from Iran, were particularly threatening, as they targeted public safety institutions,\r\nincluding U.S. hospital systems and governmental entities.  The FBI, with the assistance of our private sector and\r\nU.S. government partners, are sending a strong message that we will work together to investigate and hold all\r\ncriminals accountable.”\r\nSavandi and Mansouri are charged with one count of conspiracy to commit wire fraud, one count of conspiracy to\r\ncommit fraud and related activity in connection with computers, two substantive counts of intentional damage to a\r\nprotected computer and two substantive counts of transmitting a demand in relation to damaging a protected\r\ncomputer.\r\nAccording to the indictment, Savandi and Mansouri created the first version of the SamSam Ransomware in\r\nDecember 2015, and created further refined versions in June and October 2017.  In addition to employing Iran-based Bitcoin exchangers, the indictment alleges that the defendants also utilized overseas computer infrastructure\r\nto commit their attacks.   Savandi and Mansouri would also use sophisticated online reconnaissance techniques\r\n(such as scanning for computer network vulnerabilities) and conduct online research in order to select and target\r\npotential victims, according to the indictment.  According to the indictment, the defendants would also disguise\r\ntheir attacks to appear like legitimate network activity.\r\nTo carry out their scheme, the indictment alleges that the defendants also employed the use of Tor, a computer\r\nnetwork designed to facilitate anonymous communication over the internet.  According to the indictment, the\r\ndefendants maximized the damage caused to victims by launching attacks outside regular business hours, when a\r\nvictim would find it more difficult to mitigate the attack, and by encrypting backups of the victims’ computers. \r\nThis was intended to—and often did—cripple the regular business operations of the victims, according to the\r\nindictment.  The most recent ransomware attack against a victim alleged in the indictment took place on Sept. 25,\r\n2018.\r\nhttps://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public\r\nPage 2 of 3\n\nThis case was investigated by the FBI’s Newark Field Office.  Senior Counsel William A. Hall Jr. of the Criminal\r\nDivision’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney and Chief of\r\nthe Cybercrimes Unit Justin S. Herring of the District of New Jersey are prosecuting the case.  The Department\r\nthanks its law enforcement colleagues at the National Crime Agency (UK), West Yorkshire Police (UK), Calgary\r\nPolice Service (Canada), and the Royal Canadian Mounted Police.  Significant assistance was provided by the\r\nJustice Department’s National Security Division and the Criminal Division’s Office of International Affairs.\r\nVictims are encouraged to contact their local FBI field office and file a complaint online with the Internet Crime\r\nComplaint Center (IC3).  The IC3 staff reviews complaints, looking for patterns or other indicators of significant\r\ncriminal activity, and refers investigative packages of complaints to the appropriate law enforcement authorities in\r\na particular city or region. The FBI provides a variety of resources relating to ransomware through the IC3, which\r\ncan be reached at www.ic3.gov.   For more information on ransomware prevention, visit: \r\nhttps://www.ic3.gov/media/2016/160915.aspx   \r\nCharges contained in an indictment are merely allegations, and the defendants are presumed innocent until proven\r\nguilty beyond a reasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public\r\nhttps://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public"
	],
	"report_names": [
		"two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public"
	],
	"threat_actors": [],
	"ts_created_at": 1775439115,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3485dcb2495886e204851d1dcf3761316c20286.pdf",
		"text": "https://archive.orkl.eu/d3485dcb2495886e204851d1dcf3761316c20286.txt",
		"img": "https://archive.orkl.eu/d3485dcb2495886e204851d1dcf3761316c20286.jpg"
	}
}