The landmark ransomware campaign that crippled Atlanta last March was created by two Iranians, says DoJ

  • Today's indictment of two Iranian nationals highlights how one single campaign of attacks has had a significant influence on how global corporations and municipalities handle ransomware.
  • The ransomware campaign famously knocked out the City of Atlanta in March and severely affected several large hospitals, including Hollywood Presbyterian.
  • The Department of Treasury also issued sanctions against Iranians accused of processing the illicit Bitcoin transactions associated with the ransom payments.
Deputy Attorney General Rod Rosenstein holds a news conference at the Department of Justice July 13, 2018 in Washington, DC.
Chip Somodevilla | Getty Images
Deputy Attorney General Rod Rosenstein holds a news conference at the Department of Justice July 13, 2018 in Washington, DC.

The Department of Justice on Wednesday indicted two Iranians it says were behind a set of ransomware attacks called "SamSam" that devastated the City of Atlanta in March 2018, as well as the Hollywood Presbyterian Hospital in February 2016 and other victims.

Ransomware is malicious software that locks up computers and any computer-controlled equipment until the victim pays a ransom to the criminal involved. While it's often seen as a purely criminal activity, deployed to get money from unsuspecting businesses, its deployment can cause chaos and nation-state intrigue, as well as major shut-downs in government or corporate services. According to the Department of Justice, of the hundreds of U.S. victims of this campaign, many sustained "substantial losses."

In March 2018, the City of Atlanta was held hostage by the ransomware, which shut down government services for several days and ultimately cost the city $17 million.

But one of the most alarming attacks of the SamSam campaign came much earlier. In February 2016, long before most people had heard of ransomware, Hollywood Presbyterian Hospital near Los Angeles was hit with a virulent strain of the malicious software forcing it to shut down systems across its facility.

As a result, cancer doctors in the radiation department could not turn on their devices, and other physicians reported they couldn't access patient medical records, nor share MRIs, X-rays or blood tests. Patients were turned away. The shut-down lasted for more than a week, and the hospital ultimately paid criminals $17,000 to get back online.

The scenario prompted many hospitals to re-think cybersecurity and imagine how a cyberattack might play shake out at a critical facility that serves the publich. It also introduced many people to the concept of "ransomware" itself, and served as a preview of WannaCry and NotPetya attacks that took out health care, logistics, medical and industrial facilities worldwide.

The hospital's actions also sparked an ethical debate over whether or not companies should pay ransoms in order to get services back online, provided the criminals in question have a high likelihood of being able to deliver. Many posit that it's unethical to pay criminals who may ultimately be supported by rogue nation-states or organized crime, or that paying a ransom will only invite more criminals.

But for those who advocate paying the ransom, the difference between Presbyterian's $17,000 payment to ransomers and Atlanta's $17 million price tag for not doing it is proof they're right.

The two people indicted for allegedly taking part in the SamSam campaign, Faramarz Savandi and Mohammad Mansouri, currently live in Iran. It's unlikely they will be arrested, much like other cybercriminals from Russia, Iran and North Korea indicted in absentia. The Department of Justice has made "naming and shaming" a priority in these cases, in order to put pressure on these countries.

Alongside the DoJ action, the U.S. Department of Treasury has assigned sanctions to two further Iranians who it says helped process the ransoms, which were paid in Bitcoin: Ali Khorashadizadeh and Mohammad Ghorbaniyan.

The group allegedly sustained the campaign for 36 months, according to the indictment. Other entities that fell victim included the City of Newark and Kansas Heart Hospital.