A federal grand jury indictment unsealed today in Newark, New Jersey gives some insight into the systematic takedown of the City of Atlanta’s computer system in March. Investigators said it was part of a network of ransomware attacks across the United States targeting hospitals, municipalities and other public entities.
Two Iranian men, Faramarz Shahi Savandi, 34, and Mohammad Shah Mansouri, 27, have been charged in a 34-month extortion scheme involving the deployment of sophisticated ransomware. The two men collected over $6 million in ransom payments and cost $30 million in losses, officials said.
“They focused their scheme on public entities, like hospitals and municipalities that they knew would cause significant harm to victims,” said Deputy Attorney General Rod Rosenstein at a press conference Wednesday. “They used sophisticated software to execute their plan with a malicious computer code that holds entities hostage until they receive a ransom payment.”
The six-count indictment identifies over 200 victims over a 34-month period -- including the City of Atlanta, the City of Newark, the Port of San Diego, the Colorado Department of Transportation, the University of Calgary in Alberta, Canada and six healthcare-related entities.
“This is a dangerous escalation of cybercrime. This is a new type of cyber criminal -- money is not the objective. They seek to destroy infrastructure,” said Craig Carpenito, U.S. District Attorney for the District of New Jersey. “They hit ports and hospitals trying to impact our way of life. The damage to society is more than a side effect of profit motive.”
The attack exposed Atlanta city computers to ransomware that encrypted personal and financial data for an unknown amount of victims in March.
Mayor Keisha Lance Bottoms said at the time that everyone who has done business with the city was potentially at risk, and advised businesses and consumers to check their bank accounts. The attack shut down city business for several days and affected Atlanta's court systems, crippling the Municipal Court's payment processes. No customers who owed money for traffic tickets or low-level offenses were penalized during the outage.
Atlanta partnered with a security company called Secure Works to "free" the city from the ransomware, which security experts estimated cost the city about $51,000 at the time.
After announcement of the indictment in the cyber ransomware attack, Bottoms said she is "glad these people will be brought to justice."
"It was extremely disruptive to the city. This has happened to people worldwide and it's often very difficult for these perpetrators to be brought to justice," Bottoms said. "I'm very thankful this might stop another municipality from experiencing what we did."
City of Atlanta officials have not responded to 11Alive’s requests for comment on how much money it has cost them to fix the systems damaged in the ransomware attack. On Wednesday, Bottoms said the city has cyber insurance that will cover costs incurred to protect the city's data.
"Criminals spend all day, every day, trying to find ways to wreck havoc," Bottoms said. "I am so very thankful that the City of Atlanta had cyber insurance. It will be minimal cost to the city, but certainly the disruption was significant."
According to the indictment, Savandi and Mansouri would extort victims by demanding ransom payment in the virtual currency Bitcoin, in exchange for decryption keys for encrypted data. The men used Iran-based Bitcoin exchangers and utilized computer networks overseas to commit their attacks, officials said.
Carpentino said the men researched their targets before executing the attacks and looked for institutions that could not afford system downtime.
“They perfected their art and got better at it every day,” Carpentino said. “They would get into system backups to affect the maximum amount of computer data that they could. They used techniques like doing this work in off-hours for businesses, when IT infrastructure was not able to respond or protect.”
Victims would discover the attack usually through a ransom note left on a file on computers, threatening to permanently delete software encryption keys.
Atlanta vowed not to pay the ransom when the city was crippled by a massive computer outage. FBI executive assistant director Amy Hess would not disclose which victims paid a ransom.
PHOTOS: Atlanta battles cyberattack
“In the indictment, we have not noted which victims paid and which ones didn’t. Atlanta was a case where the entire system was compromised for several days. Those behind the attack knew the problem it would cause,” said Hess.
She said the FBI discourages ransom payment, but understands businesses “have a lot at stake” when data is compromised.
Savandi and Mansouri used the dark web to conduct their activity and used devices to appear anonymous online, Hess said. However, their attempts to cover their tracks were eventually discovered.
“Regardless of where a criminal resides, we will pursue them,” Hess said. “We will catch them and they will slip up.”
According to the FBI, Mansouri is a 27-year-old Iranian male with brown hair and brown eyes. He was born in Qom, Iran. Savandi is 34 and was born in Shiraz, Iran. Both men are known to speak Farsi and live in Tehran, Iran.
Anyone with information on their whereabouts is asked to contact the local FBI office or nearest embassy or consulate.