A federal grand jury in Georgia has returned an indictment on two Iranian nationals for ransomware attacks on the City of Atlanta.
The indictment charges Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri with committing a sophisticated ransomware attack on the City of Atlanta in March 2018 in violation of the Computer Fraud and Abuse Act.
“In March 2018, a devastating ransomware attack interrupted City of Atlanta government functions and disrupted our community,” said U.S. Attorney Byung J. “BJay” Pak. “In the days following the attack, local law enforcement officials worked tirelessly to respond to the incident and collect investigative information that was passed on to our counterparts leading the groundbreaking investigation into the SamSam ransomware attacks. This indictment, which is in coordination with the U.S. Attorney’s Office for the District of New Jersey and the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, vindicates the City of Atlanta’s interest in ensuring that those responsible for the attacks face justice here as well.”
“This investigation and subsequent indictment demonstrate the Secret Service’s commitment to safeguarding our financial institutions, our communities, our homeland,” said Kimberly A. Cheatle, Special Agent in Charge of the U.S. Secret Service, Atlanta Field Office. “The virus causing the disruption of service to the City of Atlanta was triaged by cyber investigative experts at the Secret Service in conjunction with other federal law enforcement partners. This case serves as a reminder to all, particularly during the holiday season, to ensure protocols related to cyber hygiene are observed. The Secret Service appreciates the level of cooperation and information sharing throughout this investigation by all law enforcement partners which led to this indictment.”
“The FBI is always eager to help expose criminals who hide behind their computer and launch attacks that threaten our public safety,” said J.C. “Chris” Hacker, Special Agent in Charge of FBI Atlanta. “We are proud to have assisted our federal partners, the U.S. Secret Service, and our private sector partners in sending a strong message that we will work together to investigate and hold all criminals accountable.”
According to U.S. Attorney Pak, the indictment, and other information presented in court: On or about March 10, 2018 through approximately March 22, 2018, the defendants, Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri, both of whom are Iranian nationals, caused the execution of a “ransomware” attack against the City of Atlanta, which encrypted vital city computer systems, and demanded a ransom payment to restore access.
The attack was executed by the use of a type of malware (or “ransomware”) referred to as “SamSam Ransomware,” which infected approximately 3,789 computers belonging to the City of Atlanta, including servers and workstations. Once deployed, the ransomware encrypted the files associated with each infected computer and displayed a ransom note. That is, the ransomware effectively locked the infected computers and made it impossible to access the information stored on them without a decryption key.
The ransom note demanded .8 Bitcoin to decrypt each affected computer or six Bitcoin to decrypt all affected computers. That is, the attackers gave the City of Atlanta the option of paying to decrypt certain computers (at a rate of .8 Bitcoin per computer) or to decrypt all the infected computers (for six Bitcoin). The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransom and supplied a web domain that was only accessible using a TOR browser; the note suggested that the City of Atlanta could download the decryption key from that website. In the days following the attack, the webpage that purportedly contained the decryption key became inaccessible, and the City of Atlanta did not pay the ransom.
The attack significantly disrupted City of Atlanta operations, impaired certain governmental functions, and caused it to incur substantial expenses in the coming weeks and months. To date, the attack has inflicted millions of dollars in losses.
The indictment charges Faramarz Shahi Savandi, 27, of Shiraz, Iran, and Mohammed Mehdi Shah Mansouri, 34, of Qom, Iran, in the U.S. District Court for the Northern District of Georgia (“the Atlanta case”) with intentional damage to protected computers located in Atlanta that caused losses exceeding $5,000, affected more than 10 protected computers, and that threatened the public health and safety.
The defendants are also charged in the U.S. District Court for the District of New Jersey with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer located in New Jersey, and two substantive counts of transmitting a demand in relation to damaging a protected computer located in New Jersey. That case is being investigated by the FBI’s Newark Field Office, the U.S. Attorney’s Office for the District of New Jersey, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS).
Assistant U.S. Attorneys Nathan P. Kitchens and Kamal Ghali, Deputy Chiefs of the Cyber and Intellectual Property Crime Section, are prosecuting the Atlanta case. The Atlanta Field Offices of the U.S. Secret Service and the Federal Bureau of Investigation assisted with the response to the City of Atlanta ransomware attack.
In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders.
Members of the public are reminded that the indictment only contains charges. The defendant is presumed innocent of the charges and it will be the government’s burden to prove the defendant’s guilt beyond a reasonable doubt at trial.