Indictments against three Iranian nationals were unsealed by the U.S. Department of Justice on Wednesday. According to officials, the accused are the brains behind an international ransomware conspiracy that has been attacking hundreds of corporate and government victims globally for at least two years.
Amir Hossein Nickaein Ravari, 30, Mansour Ahmadi, 34, and Ahmad Khatibi Aghda, 45, are charged with hacking the computers of hundreds of victims in the U.S., U.K., Iran, Israel, and other nations.
But it soon became evident that the three suspected cybercriminals' connection to the Iranian government was more nuanced than first thought.
A few hours after the indictments were made public by the Justice Department, the U.S. Treasury Department unveiled new penalties against 10 Iranian citizens and two Iranian technology businesses.
Assistant Attorney General Matthew Olsen of the Justice Department's National Security Division accused Iran's government of establishing a "safe haven" for cybercriminals in a statement announcing the charges.
"Even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals," Olsen said.
The three individuals are accused of numerous federal computer offenses, but because they are all at large and abroad, according to the Justice Department, it is doubtful that they will ever be brought to justice.
The three allegedly breached and stole data from their targets' computer systems, according to the indictment. Additionally, they employed ransomware to lock down some of their targets' systems, preventing access unless a ransom was paid. Ransoms have occasionally been paid.
According to the Justice Department, their victims included small enterprises, governmental organizations, nonprofit initiatives, as well as educational and religious institutions. Critical infrastructure targets were also struck by the three men, including those in the transportation, health, and utility sectors.
The three men reportedly hacked and stole data from a New Jersey township and an accounting business. They also infected the accounting business with ransomware, demanding $50,000 in crypto to open its servers and threatening to sell the data on the black market.
In addition to Treasury and Justice, the State Department took action against the three alleged cybercriminals, announcing a bounty of up to $10 million for information on any of them.
Throughout the day, the indictments and sanctions notice painted a picture of a group of Iranian government-affiliated cyber hackers moonlighting as ransomware criminals.
The men are also accused of holding hundreds of additional victims for ransom, including a regional power utility in Mississippi and Indiana, a state bar organization, an Illinois-based accounting firm, a domestic violence shelter in Pennsylvania, and a public housing corporation in Washington state.