On Wednesday the Department of Justice revealed it has indicted two Iranians for two-years worth of ransomware attacks, including the one that struck the city of Atlanta last spring.
In the early hours of March 22, city of Atlanta employees arrived at work to find their computers locked and being held for ransom. The demand? About $50,000 worth of bitcoin, which the city opted not to pay.
Instead, it spent millions rebuilding a compromised cyber system.
According to the Department of Justice, Atlanta wasn’t alone. It’s one of more than 200 victims of the “Samsam” malware.
Two Iranian men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, are now indicted. And it’s clear these hackers weren’t just after money, said Craig Carpenito, the U.S. Attorney for New Jersey at a Wednesday press conference.
“This is a new type of cyber criminal,” he said. “Money is not their sole objective. They’re seeking to harm our institutions and our critical infrastructure … they’re trying to impact our way of life.”
That’s certainly what happened in Atlanta following the attack.
The City’s municipal court system had to switch to paper for three months. Water bills didn’t go out for weeks. Some employees lost all their files. The police lost years of dash cam videos.
Deputy Attorney General Rod Rosenstein said the alleged hackers targeted institutions like hospitals and cities on purpose.
“They knew that shutting down those computer systems would cause significant harm to innocent victims and would maximize their leverage, their ability to extort those ransom payments from the victim organizations,” he said.
Other victims included the City of Newark, New Jersey, the Port of San Diego, the Colorado Department of Transportation, the University of Calgary in Canada and the Kansas Heart Hospital.
Because the alleged hackers live in Iran, they may never be prosecuted. They received about 6 million dollars in ransom and caused more than $30 million in losses.
Justice officials said all this underscores the need to shore up cyber defenses. And Atlanta should have been better protected, said Morgan Wright is a cybersecurity expert.
“If you’ve got a car and you’ve got a leaky tire on your car it’s going to go flat,” he said. “You can pretend to ignore it, you can pretend it doesn’t exist but it’s going to go flat and this is what happened here.”
“This will continue to happen and it will continue to happen as long as people don’t take care of their systems,” he said.
Richard Cox, Atlanta’s chief operating officer said in a May interview that the city experienced one of the biggest malware attacks on a municipality in U.S. history. While is in a better place now to defend its network, he said, the work never ends.
“You can never secure a network,” he said. “You can get really good at defending a network. And so I really feel good about us being in a better posture now. But you never claim victory.”
Mayor Keisha Lance Bottoms has said the attack pushed cybersecurity to the top of her priority list.