The U.S. Department of Justice today said it has indicted two Iranian men they accuse of being behind ransomware attacks that among other targets crippled the City of Atlanta in March.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are accused of creating and deploying the SamSam ransomware over a 34-month international computer hacking and extortion scheme starting in December 2015.

The pair is claimed to have accessed the computers of victims without authorization through security vulnerabilities and then installed and executed the SamSam ransomware. The ransomware encrypted data on infected computers and demanded a payment in bitcoin for a key for users to obtain access.

The Justice Department claims that more than 200 SamSam victims included hospitals, municipalities and public institutions. Along with the attack on Atlanta, high-profile SamSam victims include Laboratory Corp. of America Holdings, Hollywood Presbyterian Medical Center and the Port of San Diego.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Deputy Attorney General Rosenstein said in a statement.  “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

Chester Wisniewski, principal research scientist at Sophos Group plc, told SiliconANGLE that the human-centered approach used by the hackers proved successful, since the Iranian pair is believed to have collected an estimated $6.5 million over the course of almost three years.

“The attacks were more cat burglar in style – they strategically happened when victims were asleep, indicating that the attacker carries out reconnaissance on victims and carefully plans who, what, where and when attacks will happen,” Wisniewski explained. “In these attacks, cybercriminals target weak entry points and brute-force Remote Desktop Protocol passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware.”

By the time most IT managers notice what’s happening, he said, the damage is done. “Other cybercriminals have taken note, and in 2019 we expect copycat attacks,” he said.

Savandi and Mansouri were ultimately traced by the U.S. Department of Treasury via their use of bitcoin wallets to transfer their ill-gotten gains into Iranian Rials.

“This goes to show that no amount of malicious code, covert operations and cryptocurrency puts a criminal beyond our ability to identify and bring forth charges for stealing and extorting money from innocent people,” Wisniewski added. “By identifying the bitcoin wallets associated with this criminal activity they have essentially marked them as poison. Anyone who attempts to help launder those cryptocurrencies and assists in converting them to real money will be an accessory to the crimes alleged to have been committed.”

Image: FBI