A federal grand jury in Atlanta on Wednesday became the latest to indict two Iranian nationals on charges of creating and deploying the “SamSam” ransomware that attacked vital city computer systems earlier this year in an attempt to extort tens of thousands of dollars from the local government.
The indictment, filed in the U.S. District Court for the Northern District of Georgia, charges Faramarz Savandi and Mohammed Mansouri with intentional damage to Atlanta’s protected computers. The cyberattack is a violation of the Computer Fraud and Abuse Act and threatened public health and safety, the U.S. Attorney’s office said in a statement.
“In March 2018, a devastating ransomware attack interrupted City of Atlanta government functions and disrupted our community,” U.S. Attorney Byung J. “BJay” Pak said in a statement.
The SamSam malware crippled several city online services for more than a week. After becoming infected, municipal court computers were unable to pull up cases; residents were blocked from paying bills online; and police officers were forced to revert to writing reports and booking inmates by hand.
Pak’s office alleges it was Savandi and Mansouri who held 3,789 of the city’s computers hostage, demanding a six bitcoin ransom payment — valued at about $51,000 at the time — in exchange for delivering an encryption key that would restore access to the data.
In the end, the attack caused the city “to incur substantial expenses” and inflicted “millions of dollars in losses,” Pak’s office said. But those expenses did not include the demanded payoff. The statement noted, “The City of Atlanta did not pay the ransom.”
Wednesday’s charges against Savandi and Mansouri — both believed to reside in Iran — follow a federal grand jury indictment in New Jersey that was unsealed last week. In that case, the pair were charged with six counts of computer hacking and fraud by U.S. Deputy Attorney General Rod Rosenstein.
“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Rosenstein said last week. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”
In court documents, the Justice Department claims that Savandi and Mansouri have collected more than $6 million in ransom payments since they first launched SamSam in December 2015.
Officials said the two made updates to the malware twice in 2017.
Their first alleged target was a business in Mercer County, N.J., but the duo quickly moved on to prey on software vulnerabilities within major public entities, including the cities of Atlanta and Newark, N.J., the Port of San Diego, the Colorado Department of Transportation, Hollywood Presbyterian Medical Center in Los Angeles and the University of Calgary in Alberta, Canada, among many others.
New Jersey U.S. Attorney Craig Carpenito accused Savandi and Mansouri of “cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick, and the injured without interruption.”
Assistant Attorney General Brian Benczkowski called the New Jersey indictment “the first of its kind.”
The indictment alleges the men’s hacking and extortion scheme is part of a “continuing trend of cyber criminal activity emanating from Iran.” It also states Savandi and Mansouri employed “Iran-based bitcoin exchangers” and that they “utilized overseas computer infrastructure to commit their attacks.”
The same day the New Jersey indictment was filed, the U.S. Treasury Department’s Office of Foreign Assets Control placed two bitcoin addresses on its sanctions list for the first time in history.
The accounts belonged to Ali Khorashadizadeh and Mohammad Ghorbaniyan, two Iran-based individuals, “who helped exchange digital currency (bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors involved with the SamSam ransomware scheme,” the department said in a statement.
“As Iran becomes increasingly isolated and desperate for access to U.S. dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes,” said Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker.
Treasury officials assert that over the last five years Khorashadizadeh and Ghorbaniyan have processed more than 7,000 transactions from over 40 exchangers, including some in the U.S. Since 2013 they have essentially laundered approximately 6,000 bitcoin worth millions of dollars, according to the statement.
The charges against Savandi and Mansouri are unlikely to lead to a trial of either of the men. Iran does not have an extradition treaty with the U.S. But as NPR’s Ryan Lucas reported, such federal charges are part of “a strategy by the U.S. government to generate detailed, legally admissible cases against foreign cyber-attackers even though they’re unlikely to see the inside of a U.S. courtroom.”