Three Iranian nationals charged with hacking into US-based computer networks sent ransom demands to the printers of at least some of their victims, according to an indictment unsealed today. The ransom demands allegedly sought payments in exchange for BitLocker decryption keys that the victims could use to regain access to their data.
The three defendants remain at large and outside the US, the DOJ said.
“The defendants’ hacking campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and exfiltrate data and information from victims’ computer systems,” the US Department of Justice said in a press release. Defendants Mansour Ahmadi, Ahmad Khatibi, Amir Hossein Nickaein “and others also conducted encryption attacks against victims’ computer systems, denying victims access to their systems and data unless a ransom payment was made.”
The indictment in US District Court for the District of New Jersey describes a few incidents in which ransom demands were sent to printers on hacked networks. In one case, a printed message sent to an accounting firm allegedly said, “We will sell your data if you decide not to pay or try to recover them.”
In another incident, the indictment said a Pennsylvania-based domestic violence shelter hacked in December 2021 received a message on its printers that said, “Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable. Just contact us.”
Khatibi later “sent an email to a representative of the Domestic Violence Shelter asking for payment of one Bitcoin,” the indictment said. The shelter ultimately paid the equivalent of $13,000 to the hacker’s Bitcoin wallet, the indictment said, adding that Khatibi then “provided decryption keys to enable the Domestic Violence Shelter to restore access to its systems and data.”
Before sending the ransom demand, “a member of the conspiracy gained unauthorized access to the Domestic Violence Shelter’s computer system and launched an encryption attack by activating BitLocker, thereby denying the Domestic Violence Shelter access to some of its systems and data,” the indictment said. BitLocker is an encryption tool used in Windows.
“YOU HAVE TO CONTACT US IMMEDIATELY”
Victims included small businesses, government agencies, nonprofit programs, educational and religious institutions, and “multiple critical infrastructure sectors, including health care centers, transportation services and utility providers,” the DOJ press release said. The three indicted hackers and co-conspirators “collected payments in Bitcoin and other cryptocurrencies from certain victims that paid the ransom to decrypt their data,” the indictment said.
The Iranians hacked networks in several countries, “gain[ing] unauthorized access to the computer systems of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere,” the DOJ said. The US agency accused Iran’s government of “creat[ing] a safe haven where cyber criminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers.”
In April 2021, “Nickaein sent a ransom demand communication to the printers” of an Illinois company referred to as “Accounting Firm 2,” the indictment said. The ransom demand allegedly told the firm to contact an email account controlled by Nickaein and included the following text:
IF YOU ARE READING THIS, IT MEANS YOUR DATA IS ENCRYPTED AND YOUR PRIVATE SENSITIVE INFORMATION IS STOLEN!
READ CAREFULLY THE WHOLE INSTRUCTIONS TO AVOID ANY PROBLEMS
YOU HAVE TO CONTACT US IMMEDIATELY TO RESOLVE THIS ISSUE AND MAKE A DEAL!
We will sell your data if you decide not to pay or try to recover them.
Before sending the ransom demand, Nickaein hacked into the company’s network, “stole data, and launched an encryption attack using BitLocker, thereby denying Accounting Firm 2 access to certain of its systems and data,” the indictment said.
This is not the first hacking campaign to use the tactic, sometimes called “print bombing,” of sending ransom demands to printers on the infected network.