Skip to main content

Two Iranian men charged with the ransomware attack that took down Atlanta

Two Iranian men charged with the ransomware attack that took down Atlanta

Share this story

Illustration by Alex Castro / The Verge

The US Treasury Department has placed bitcoin addresses on its sanctions list for the first time after two Iranian hackers were charged with extorting millions of dollars through them. The two addresses belonged to Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, who allegedly created the SamSam ransomware software. The Justice Department unsealed an indictment against both men today, alleging that they collected $6 million by targeting more than 200 victims — including the cities of Atlanta, Georgia, and Newark, New Jersey.

SamSam began infecting computers in 2015, and it’s been linked to expensive and temporarily devastating attacks on hospitals and infrastructure. Like other ransomware, SamSam encrypted users’ machines and ordered them to funnel money — sometimes tens of thousands of dollars — to a bitcoin account. The Treasury Department says the two accounts above processed over 7,000 transactions, although not all were necessarily related to SamSam.

The hackers “worked hard to identify the most vulnerable targets”

In a press conference, US Attorney Craig Carpenito told reporters that Savandi and Mansouri “worked hard to identify the most vulnerable targets that they could,” and not just because they would be more likely to pay up. “Money is not their sole objective,” he claimed. “They’re seeking to harm our institutions and critical infrastructure. They’re trying to impact our way of life.”

One of Savandi and Mansouri’s most high-profile alleged crimes was an attack on Atlanta in March 2018. Major basic municipal functions were affected, including the ability to pay water bills or parking tickets, although Atlanta’s emergency services remained functional. Altogether, the Justice Department lists attacks in 43 US states.

We don’t know how many victims paid up

The Justice Department declined to say how many people reported their attacks to law enforcement, or how many paid the ransom, although it advised targets not to do so. Previous news reports have indicated that some institutions paid up, including Indiana hospital Hancock Health, which paid around $55,000 to unlock its computers early this year. The indictment names a dozen victims, including Atlanta, Newark, the Colorado Department of Transportation, the University of Calgary, and several hospitals.

This isn’t the year’s first big ransomware indictment; the Justice Department charged a North Korean hacker in September for being involved in the WannaCry ransomware campaign. US law enforcement linked the WannaCry hacker to a government-sponsored attack, but Carpenito says this SamSam indictment includes “nothing of that sort.”

This is the first time the US has added cryptocurrency wallets to its sanctions list, although the Treasury Department’s Office of Foreign Assets Control (OFAC) mentioned the possibility in March. The move makes any party that interacts with the accounts potentially liable for sanctions as well, and going forward, it effectively bans paying SamSam ransoms.