Iranians hacked US companies, sent ransom demands to printers, indictment says

Illustration of a hooded figure in dark room typing on a laptop. In the background, the wall is covered in ones and zeroes.
Getty Images | Bill Hinton

reader comments
11 with 10 posters participating

Three Iranian nationals charged with hacking into US-based computer networks sent ransom demands to the printers of at least some of their victims, according to an indictment unsealed today. The ransom demands allegedly sought payments in exchange for BitLocker decryption keys that the victims could use to regain access to their data.

The three defendants remain at large and outside the US, the DOJ said.

“The defendants’ hacking campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and exfiltrate data and information from victims’ computer systems,” the US Department of Justice said in a press release. Defendants Mansour Ahmadi, Ahmad Khatibi, Amir Hossein Nickaein “and others also conducted encryption attacks against victims’ computer systems, denying victims access to their systems and data unless a ransom payment was made.”

The indictment in US District Court for the District of New Jersey describes a few incidents in which ransom demands were sent to printers on hacked networks. In one case, a printed message sent to an accounting firm allegedly said, “We will sell your data if you decide not to pay or try to recover them.”

In another incident, the indictment said a Pennsylvania-based domestic violence shelter hacked in December 2021 received a message on its printers that said, “Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable. Just contact us.”

Khatibi later “sent an email to a representative of the Domestic Violence Shelter asking for payment of one Bitcoin,” the indictment said. The shelter ultimately paid the equivalent of $13,000 to the hacker’s Bitcoin wallet, the indictment said, adding that Khatibi then “provided decryption keys to enable the Domestic Violence Shelter to restore access to its systems and data.”

Before sending the ransom demand, “a member of the conspiracy gained unauthorized access to the Domestic Violence Shelter’s computer system and launched an encryption attack by activating BitLocker, thereby denying the Domestic Violence Shelter access to some of its systems and data,” the indictment said. BitLocker is an encryption tool used in Windows.

not the first hacking campaign to use the tactic, sometimes called “print bombing,” of sending ransom demands to printers on the infected network.