Feds indict two hackers in Iran for cyber attacks on Atlanta, entities in U.S., Canada

Deputy Attorney General Rod Rosenstein (at podium) and other federal officials released Wednesday a federal indictment of two men charged in a ransomware attack on more than 200 public entitites in the United States and Canada. Credit: justice.gov
By David Pendered
The cyber attack that crippled the City of Atlanta starting in March was part of a assault on more than 200 public entities in the United States and Canada conducted by two men based in Iran who demanded payment in Bitcoins in exchange for keys to unlock ransomware they had installed in victims’ computer systems, according to a federal indictment released Wednesday in New Jersey.

Georgia is among the states that were attacked more than six times by the ransomware allegedly created and installed by two men operating inside Iran, according to a federal indictment. Credit: justice.gov
Atlanta Mayor Keisha Lance Bottoms released the following statement Wednesday afternoon:
- “The City of Atlanta is aware of the U.S. Department of Justice’s indictment related to the March cyber-attack against the City. We are grateful for all our federal partners who have assisted with identifying the perpetrators and bringing them to justice. The Administration remains committed to ensuring the ongoing safety and security of the City’s cyber-infrastructure, as well as that of the people of Atlanta.”
Prosecutors did not cite any local law enforcement agencies in the United States for working on the case. Agencies that were cited include the Justice Department, two British agencies, and Canada’s Calgary Police Service and Royal Canadian Mounted Police, according to remarks prepared for delivery by Assistant Attorney General Brian A. Benczkowski.
Atlanta was of two major cities that were targeted in the scheme, according to remarks prepared for delivery by Deputy Attorney General Rod J. Rosenstein:
- “The victims included two major municipalities – the City of Atlanta, Georgia and the City of Newark, New Jersey. The defendants also sought to interrupt critical transportation infrastructure by infiltrating the Port of San Diego, California, and the Colorado Department of Transportation.”
Atlanta did not pay a ransom and the attack was estimated to cost the city up to $17 million.

Deputy Attorney General Rod Rosenstein (at podium) and other federal officials released Wednesday a federal indictment of two men charged in a ransomware attack on more than 200 public entitites in the United States and Canada. Credit: justice.gov
Rosenstein said the defendants focused on public entities because, “they knew that shutting down those computer systems could cause significant harm to innocent victims.”
Their scheme involved installing the malware and demanding payment to provide decryption keys needed to unlocked the computers, and a threat to delete the decryption keys if the ransom demand was not paid, according to the indictment that was filed Monday and the subject of a briefing Wednesday.
The two defendants have not been arrested and now are fugitives. The FBI’s executive assistant director, Amy Hess, said in a statement the indictment shows the U.S. district attorney’s office in New Jersey will pursue such criminals, “no matter where in the world they may seek to hide.”
The indictment charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran.
Charges include:
- Conspiracy to commit fraud and related activity in connection with computers;
- Conspiracy to commit wire fraud;
- Intentional damage to a protected computer;
- Transmitting a demand in relation to damaging a protected computer.
The two men allegedly conducted a 34-month-long international computer hacking and extortion scheme involving a malware they wrote. The “SamSam Ransomware,” was capable of forcibly encrypting data on the computers of victims, according to a statement by the Justice Department.
The hackers first created SamSam in December 2015 and created updates in June and October 2017, according to a statement. To commit their attacks, the two hackers used Bitcoin exchangers in Iran, and also overseas computer infrastructures, according to the statement.

The FBI issued this wanted poster for two men who allegedly installed ransomware in the City of Atlanta’s computer system and more than 200 other public entities in the United States and Canada. Credit: fbi.gov