Using Microsoft’s BitLocker security tool, the hackers locked up and then stole secure files before sending ransom notes – some of which were spit out on the victims’ printers, the FBI said on Wednesday, Sept. 14.
The unidentified shelter ended up paying $13,000 in bitcoin to retrieve its files, according to the Justice Department.
An accounting firm in Morris County, NJ, was threatened with having its data sold on the black market if it didn’t pony up $50,000, officials said. Some demands reportedly reached into the hundreds of thousands, they said.
The victimized New Jersey municipality was identified only as a township in Union County (which has eight of them among its 21 towns, boroughs and cities).
"Ransom-related cyberattacks, like what happened here, are a particularly destructive form of cybercrime," said U.S. Attorney for New Jersey Philip Sellinger. "No form of cyber-attack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security.”
The hackers -- Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari -- are all believed to be in Iran, Sellinger said after a U.S. District Court judge in Newark unsealed an indictment Wednesday accusing them of the worldwide ransomware attacks.
Getting them into custody in the United States will require them leaving Iran, which doesn’t pursue such criminals, Justice Department officials conceded.
Ahmadi, Aghda and Ravari are or were executives at two Iranian government contractors, Najee Technology and Afkar System, the U.S. Treasury Department said.
However, Justice Department officials said all three were in it as a side hustle and not to serve the Iranian government.
Perhaps not coincidentally, the FBI announced Wednesday that it's investigating similar ransomware attacks in more than 100 counties by a group of hackers working for Iranian military contractors. Victims include an unidentified police department in the United States, an aerospace group and what was loosely identified as an American regional transportation system.
“Even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals,” Assistant U.S. Attorney General Matthew Olsen said Wednesday.
Corporations victimized by ransomware attacks ordinarily pay up rather than alert authorities and risk alarming investors. The Justice Department insists, however, that it can produce better outcomes if they speak up right away and not hide it.
The indictment returned by a federal grand jury in Newark says Ahmadi, Aghda and Ravari exploited vulnerabilities in network devices or software programs belonging to a range of victims, including small businesses, government agencies, non-profit programs and educational and religious institutions.
Also victimized were multiple critical infrastructure sectors -- including health care centers, transportation services and utility companies – even a state bar association, it says.
The indictment accuses the trio of conspiring to commit computer fraud, intentionally damaging a protected computer and transmitting a demand as a result of the damage.
It identifies them by both their given names and their aliases:
- Mansour Ahmadi, 34, also known as “Mansur Ahmadi”;
- Ahmad Khatibi Aghda, 45, also known as “Ahmad Khatibi”;
- Amir Hossein Nickaein Ravari, 30, also known as “Amir Hossein Nikaeen,” “Amir Hossein Nickaein,” and “Amir Nikayin.”
“Hackers like these defendants go to great lengths to keep their identities secret,” Sellinger said, “but there is always a digital trail. And we will find it."
Sellinger credited special agents of the FBI’s Newark Division with making the case.
Assistant U.S. Attorneys David E. Malagold and Matthew Feldman Nikic of his Cybercrime Unit in Newark and Trial Attorney Andrew D. Beaty of the National Security Division in Washington, D.C., are handling the prosecution, Sellinger said.
Click here to follow Daily Voice Hampden-Silver Spring and receive free news updates.