Iranian hackers wanted for hijacking Chicago health data company

ByChuck Goudie and Ross Weidner and Christine Tressel WLS logo
Thursday, November 29, 2018
Iranian hackers wanted for hijacking Chicago health data company
EMBED <>More Videos

Ransomware was installed on the computers at Chicago-based Allscripts in January, one of at least 200 victims of Iranian hackers.

CHICAGO (WLS) -- Two hackers in Iran were behind a worldwide wave of ransomware attacks that targeted a major Chicago healthcare technology company, federal officials said Wednesday.

Allscripts, headquartered in Chicago's Merchandise Mart, was hit by the cyberattack in mid-January and left healthcare subscribers with impaired access to medical data, including electronic prescribing for controlled substances, according to trade reports at the time. The hackers held Allscripts computers hostage "by demanding a ransom paid in Bitcoin in exchange for decryption keys."

A U.S. indictment unsealed on Wednesday in Newark, NJ accuses Faramarz Shari Savandi and Morammad Mehdi Shah Mansouri of running what authorities called "an extreme form of 21st century digital blackmail," using the SamSam ransomware to target vulnerable institutions across the U.S. and Canada.

Savandi, 34, and Mansouri, 27, allegedly engineered the ransomware program and are now named in FBI arrest warrants.

There were more than 200 victims of the attack, according to federal investigators, including more than a half-dozen takeovers in Illinois, one of the worst-hit states. Numerous hospitals and universities in the U.S. and Canada were among the victims, along with the cities of Atlanta, Georgia, and Newark, New Jersey. In April, 2017, Newark paid the hackers about $30,000 in bitcoin ransom to get free, according to the city's mayor.

SamSam ransomware encrypts the files of a target computer until the victim pays the hackers. Only then is the targeted computer system "unlocked" and returned to normal service, although on Wednesday FBI officials urged victims not to pay ransom if it happens again because that just encourages additional attacks.

"Just because you pay doesn't mean that the criminals are actually going to do what they said they would do" said Amy Hess, executive assistant director of the FBI's Criminal, Cyber, Response and Services branch.

The Iranian-based attacks ultimately cost the hackers' victims more than $6 million in ransom payments and more than $30 million in losses from lack of access to their data, according to the indictment.

An Allscripts spokesperson in Chicago on Wednesday declined to reveal the amount of ransom paid to hackers, or comment on the current status of the company's computer system.

"Allscripts and its affiliates support and are encouraged by efforts to bring perpetrators of ransomware attacks to justice," company spokesperson Concetta Rasiarmos told the ABC7 I-Team. "Data security is very important in the healthcare industry, and the Allscripts enterprise is dedicated to protecting the information of our clients and their patients."

Allscripts is now facing a class action federal lawsuit alleging the company didn't sufficiently monitor its cloud-based data systems to protect its clients' data from the attack. Surfside Non-Surgical Orthopedics in Boynton Beach, Florida, filed the lawsuit in Chicago claiming that SamSam ransomware was a well-known threat since 2016.

In September Allscripts filed a motion to dismiss that will be ruled on early next year, according to court records.