Overview

Amir Hossein Nickaein Ravari is a U.S.-designated Iranian cyber hacker who, along with Ahmad Khatibi Aghda and Mansour Ahmadi, carried out a wide-ranging hacking campaign to compromise hundreds of computers across the United States and abroad. On September 14, 2022, Ahmadi was designated by the U.S. Department of the Treasury as a Specially Designated National (SDN) for carrying out cybercrimes in affiliation with the Islamic Revolutionary Guards Corps (IRGC), an Iranian government agency tasked with defending the regime against internal and external threats.F“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.

According to the U.S. Treasury Department, Ravari was an employee with Iran-based cyber company Afkar System Yazd Co. (Afkar System) since at least 2015 until 2019.“Amir Hossein Nickaein Ravari,” Rewards for Justice, https://rewardsforjustice.net/rewards/amir-hossein-nickaein-ravari/#:~:text=Rewards%20for%20Justice%20is%20offering,infrastructure%20in%20violation%20of%20the. While an employee of Afkar System, Ravari purchased and registered various network-based services which he then used to target and compromise victims’ computer networks.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.

Between October 2020 and August 2022, Ravari worked with Ahmadi and Aghda to gain unauthorized access to protected networks. After gaining access, the men exfiltrated data, encrypted computer systems, and extorted victims for ransom. Their activities—which compromised the operational capabilities of organizations across multiple sectors—targeted small businesses, government agencies, non-profit programs, and educational and religious institutions.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, < a href="https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style">https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.

On August 10, 2022, a federal grand jury in New Jersey indicted Ravari, Khatibi, and Ahmadi on charges of conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.“AMIR HOSSEIN NICKAEIN RAVARI,” Federal Bureau of Investigation, https://www.fbi.gov/wanted/cyber/amir-hossein-nickaein-ravari.

In February 2021, Ravari and his conspirators targeted a township in Union County, New Jersey, eventually gaining access and using a hacking tool to establish continued remote access. A year later, around February 2022, Ravari, Ahmadi, and Aghda targeted an accounting firm based in Morris County, New Jersey, where they used a hacking tool to establish continued remote access and steal data from the firm. The defendants then heavily encrypted the firm’s computer systems in March 2022, demanding payment of $50,000 in cryptocurrency in exchange for the firm to regain access to some of its systems.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.

Along with victims in New Jersey, the defendants also compromised data from an accounting firm in Illinois, regional electric utility companies based in Mississippi and Indiana, a public housing corporation in Washington, a domestic violence shelter in Pennsylvania, a county government in Wyoming, and a state bar association, among others. The men are charged with one count of conspiring to commit computer fraud, intentionally damaging a protected computer, and transmitting a demand in relation to damaging a protected computer. Ahmadi is charged with one additional count of intentionally damaging a protected computer. If found guilty, the men face between five to 10 years imprisonment.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.

Given Ravari’s activities, on September 14, 2022, the U.S. Department of the Treasury designated Ravari as an SDN.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948. Additionally, the U.S. Department of State’s Rewards for Justice program is offering $10 million for information leading to the capture of Ravari.“Amir Hossein Nickaein Ravari,” Rewards for Justice, https://rewardsforjustice.net/rewards/amir-hossein-nickaein-ravari/#:~:text=Rewards%20for%20Justice%20is%20offering,infrastructure%20in%20violation%20of%20the.