Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



U.S. Charges Two Iranians Over SamSam Ransomware Attacks

Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi on FBI's Most Wanted list

Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi on FBI's Most Wanted list

The U.S. Department of Justice on Wednesday announced that two Iranian men have been charged over their alleged role in creating the notorious SamSam ransomware and using it to extort hundreds of organizations.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, face six hacking and extortion-related charges, including conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

According to authorities, Savandi and Mansouri developed the SamSam ransomware in December 2015 and they have been improving it ever since. The alleged cybercriminals targeted over 200 organizations, including public institutions, municipalities, and hospitals, and their attacks are said to have caused over $30 million in losses.

One of SamSam’s high-profile victims was the City of Atlanta, which estimates that it will spend well over $10 million to deal with the effects of the attack. The recent attack on the port of San Diego has also been attributed to SamSam and the two Iranian nationals. The list of victims also includes the City of Newark, the Colorado Department of Transportation, the University of Calgary in Canada, and several important healthcare-related entities.

The hackers researched their potential targets and conducted reconnaissance in order to find the right victims. However, their efforts appear to have paid off as investigators believe the two made at least $6 million in ransom payments. Researchers estimated in January 2018 that the SamSam operators had made over $325,000 in just a 4-week period.

SamSam, also tracked as Samas and SamsamCrypt, is designed to encrypt files found on infected computers. The threat actors behind the ransomware demand the payment of a certain amount of money – the ransom is often tens of thousands of dollars in Bitcoin – in exchange for the decryption keys needed to recover the files. Authorities say Savandi and Mansouri used Iranian Bitcoin exchanges to exchange the cryptocurrency into Iranian rial.

The hackers leveraged the Tor anonymity network, they attempted to hide their malicious activities by disguising them as legitimate network traffic, and they launched the attacks outside regular business hours to make mitigation more difficult. They also encrypted data backups in an effort to prevent victims from recovering their files without paying the ransom.

Savandi and Mansouri have been added to the FBI’s Cyber Most Wanted list, but no reward is being offered for information leading to their capture.

Advertisement. Scroll to continue reading.

It’s unclear if the US believes the two are working on behalf of the Iranian government, but it would not be surprising. The North Korean government, for example, is said to have launched many cybercrime-like operations, including ransomware attacks, for profit.

Related: SamSam Ransomware: Patient, Persistent, Competent and Dangerous

Related: Two Iranians Charged in U.S. Over Hacking Defense Materials

Related: U.S. Charges Two Iranians With Hacking, Credit Card Fraud

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.