The case against two Iranian men accused last month of carrying out costly ransomware attacks has expanded to one of the states hit hardest by the wave of cybercrimes.
Federal prosecutors in Georgia on Wednesday filed additional charges against Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri, in connection to the March ransomware attack against Atlanta, which has cost the city government millions of dollars.
While the new charges largely mirror the initial indictment — which outlined a nearly three-year spree of cyberattacks that have struck more than 200 governments, businesses and hospitals across the United States and Canada going back nearly three years — they also give added detail in to the Atlanta attack, one of the biggest ransomware incidents on record.
In the new indictment, prosecutors allege that the two men infected thousands of computers belonging to the Atlanta municipal government with the ransomware, causing files on the affected machines to become encrypted unless they were paid a specified amount of bitcoins. The attack, which authorities say was carried out between March 10 and March 22, resulted in residents losing the ability to use the city’s online services, officials losing years’ worth of archived emails, municipal courts not being able to schedule hearings and police not being able to access surveillance video footage, among other effects.
In total, the ransomware landed on 3,789 city-owned computers and servers. Infected computers displayed ransom notes demanding either 0.8 bitcoin per device for a decryption key, or six bitcoins — equal to about $51,000 at the time — to unlock all the encrypted data. Prosecutors said that unlike other victims Atlanta officials refused to pay the ransom.
But recovering from the attack has been far more costly to the city than what Savandi and Mansouri allegedly asked for, and has largely defined Mayor Keisha Lance Bottoms’ first year in office. The bill for rebuilding all the impacted municipal systems could eventually reach $17 million.
In the new indictment Savandi and Mansouri, both of whom are believed to reside in Tehran, were charged with causing intentional damage to computers, causing more than $5,000 in damage. Byung J. Pak, the U.S. attorney for the Northern District of Georgia, announced the charges a week after Deputy Attorney General Rod Rosenstein first named Savandi and Mansouri as suspects a series of ransomware attacks stretching back more than two years.
In a press conference last week, Rosenstein and other Justice Department officials alleged that Savandi and Mansouri developed the SamSam ransomware in December 2015, and a few months later started installing it on U.S. and Canadian computer systems they illegally accessed, starting with a business in Mercer County, New Jersey. The attacks continued, with targets growing in stature to include major hospital systems — some of which temporarily lost their ability to admit new patients — and local governments.
Newark, New Jersey, was the first large city to be struck with SamSam, suffering a March 2017 attack that caused officials to fork over about $30,000 in bitcoins to regain access to their encrypted data. In total, authorities have identified more than 200 SamSam attacks that have produced more than $6 million in payments.
The initial charges against Savandi and Mansouri were filed in federal court in New Jersey, though Pak said Wednesday the Georgia charges were developed in concert with the first indictment.
In a statement last week following the first indictment, Atlanta officials said they were pleased to see the investigation yield results.
“We are grateful for all our federal partners who have assisted with identifying the perpetrators and bringing them to justice,” the statement read. “The Administration remains committed to ensuring the ongoing safety and security of the City’s cyber-infrastructure, as well as that of the people of Atlanta.”