Two Iranians were behind the ransomware attack that crippled Atlanta’s government for days this year, the Justice Department said in an indictment unsealed on Wednesday, detailing a sophisticated scheme of attacks on hospitals, government agencies and other organizations.
The men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, chose targets with complex yet vulnerable systems — organizations that could afford to pay ransoms and needed to urgently restore their systems back online, prosecutors said.
In the case of Atlanta, one of the most sustained and consequential cyberattacks ever launched against a major American city, the pair broke into the city’s computer systems and held their data hostage for about $51,000 worth of the cryptocurrency Bitcoin, prosecutors said.
“They deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” Brian Benczkowski, the head of the criminal division of the Justice Department, said in a news conference on Wednesday.
The Treasury Department also imposed sanctions on two other Iranians, accusing them of changing the Bitcoin obtained by the hackers into Iranian rial.
Mr. Savandi and Mr. Mansouri, who are wanted by the F.B.I., created the malicious software SamSam Ransomware, prosecutors said, and began to gain access to their victims’ computers in January 2016. The software is well known to cybersecurity experts.
Atlanta officials said at the time that they would not pay the ransom, even as the attack ground court, parking and employment systems to a halt. For days, police officers wrote reports by hand, warrants were not validated, applications for city jobs sat unprocessed and government workers were unable to access basic administrative systems.
“Victims are encouraged not to pay the ransom,” said Amy Hess, a top F.B.I. cybercrime official. She added that there is no guarantee that the victims will get their data back.
Mr. Savandi and Mr. Mansouri collected more than $6 million in extortion payments, law enforcement officials said. The cities and businesses targeted lost more than $30 million as they scrambled to fix computer systems and recovered data, according to court documents.
Many of the victims were public agencies with missions that involve lifesaving and other critical functions. Among them were Allscripts Healthcare; Laboratory Corporation of America; the city of Newark; the University of Calgary; the Port of San Diego; the Colorado Department of Transportation; and hospitals and health care groups in Los Angeles, Kansas, Maryland and Nebraska.
In the case of Mr. Savandi and Mr. Mansouri, the Justice Department indictment indicated that they belonged to the SamSam group, which is well known to cybersecurity researchers.
The group was also known for meticulously encrypting its victims’ data, manually from file to file; changing file names to “I’m sorry”; demanding high ransom payments in Bitcoin; and giving victims only a week to pay before they made their data permanently inaccessible, according to major security firms like Symantec, the Crypsis Group and others.
Cybersecurity researchers said they were surprised to learn that the SamSam group was based in Iran. Other than the group’s name — Samsam Kandi is the name of a tiny Iranian village — no indicators showed that the group was based in Iran.
“They weren’t using any of the Iranian infrastructure or typical Iranian tools and, until now, ransomware was not a typical Iranian attack method,” said Allan Liska, an intelligence analyst at Recorded Future, a threat intelligence firm based in Boston.
The defendants had used Bitcoin exchanges to launder their ransomware profits. People in countries with heavily sanctioned governments like North Korea and Iran are increasingly turning to cryptocurrency to bypass sanctions, Mr. Liska said.
Though officials were careful to note that the suspects were not affiliated with the government of Iran, American officials and private-sector cybersecurity experts have been closely monitoring internet traffic out of Iran after President Trump’s decision to pull out of the deal over its nuclear program last May.
Within 24 hours, monitors in the United States and Israel picked up a notable shift in Iranian state hacking activity, including renewed attacks on diplomats and foreign affairs offices of American allies, as well as employees at major telecommunication companies.