The U.S. Justice Department indicted two men who led cyberattacks on the computer systems of healthcare companies and others, resulting in more than $30 million in losses.
This was the first U.S. indictment of individual people for ransomware attacks.
The companies infected with the ransomware include Allscripts, Medstar Health, and Hollywood Presbyterian Medical Center. Altogether, the attacks caused victims to lose more than $30 million, in addition to the ransom payments.
The men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, both based in Iran, used the SamSam ransomware for extortion, netting them more than $6 million in ransom payments. They "deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing an able to pay," said Assistant Attorney General Brian Benczkowski in a statement.
After hacking into organizations' networks, the hackers used the SamSam ransomware to seal off access to the data. They then demanded payment in bitcoin in exchange for unlocking the data.
For Allscripts, that meant days of downtime for its Professional EHR, Electronic Prescriptions for Controlled Substances, and other services, affecting about 1,500 clients.
"Allscripts and its affiliates support and are encouraged by efforts to bring perpetrators of ransomware attacks to justice," the company said in a statement.
The indictment reflects the Justice Department's tough stance on cybercrime, according Benczkowski. The indictment also serves as a reminder, he said. "We want to get the word out that every sector of our economy is a potential target of malicious cyber activity."
Healthcare in particular has drawn the attention of hackers. Earlier this week, Atrium Health announced that third-party-vendor AccuDoc Solutions' systems had been breached, potentially exposing 2.65 million people's information.
Overall, between the beginning of 2018 and the end of October, there were 306 breaches of healthcare organizations reported to the Office for Civil Rights. The majority of those breaches were classified as "hacking/IT incident."
Because hacking is growing more and more widespread, companies need to "diversify" their defense strategies, according to Sherban Naum, senior vice president for corporate strategy and technology for data-security firm Bromium. These strategies should involve separating out the most important information on their networks so it's protected in case of a widespread hack, he said.
The SamSam indictment is not the first law enforcement action taken against hackers who hit healthcare systems. In 2018, authorities arrested a hacker who gained access to more than 1800 medical records at the University of Virginia Health System.
Nor is it the first indictment of hackers in general. Recently, the U.S. Justice Department indicted seven Russians for hacking U.S. organizations, among other charges.