Iranian Hacker Admits Guilt in $19 Million Robbinhood Ransomware Attack Targeting Baltimore

Date: May 28, 2025
Category: Ransomware / Data Breach

An Iranian national has acknowledged his involvement in a major ransomware and extortion operation linked to the Robbinhood ransomware in the U.S. Sina Gholinejad (also known as Sina Ghaaf), 37, along with his accomplices, infiltrated the computer networks of multiple U.S. organizations, encrypting files and demanding Bitcoin ransoms. Arrested in North Carolina in early January, Gholinejad pleaded guilty to charges of computer fraud and abuse, as well as conspiracy to commit wire fraud. He faces up to 30 years in prison, with his sentencing set for August 2025. The U.S. Department of Justice reported that these cyberattacks led to significant disruptions and financial losses exceeding $19 million for cities like Greenville, North Carolina, and Baltimore, Maryland.

Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack on Baltimore

May 28, 2025

In a significant development in the realm of cybersecurity, an Iranian national, Sina Gholinejad, has entered a guilty plea in the United States for his role in an extensive ransomware operation that leveraged the notorious Robbinhood malware. This initiative resulted in substantial financial losses and operational disruptions across several American organizations, prominently affecting the City of Baltimore.

Gholinejad, also known as Sina Ghaaf, was apprehended in January in North Carolina and charged under multiple counts, including computer fraud and conspiracy to commit wire fraud. The court proceedings have highlighted the intricate workings of a criminal syndicate that targeted crucial municipal infrastructures, specifically exposing vulnerabilities through unauthorized access to computer networks and encrypting vital data using Robbinhood ransomware. In this case, the attackers demanded Bitcoin ransom payments for the restoration of access to encrypted files.

The Justice Department has provided insights into the far-reaching consequences of these cyberattacks, estimating that the damage incurred by Baltimore alone exceeded $19 million. The disruption extended not only to the city’s operations but also to other locations, such as Greenville, North Carolina, underscoring the pervasive threat posed by ransomware actors. By exploiting weaknesses in network defenses, Gholinejad and his associates demonstrated a sophisticated understanding of the tactics involved in modern cybercrime.

In examining the methods that may have been employed during this assault, it is worth referencing the MITRE ATT&CK framework, which categorizes adversarial behaviors in the realm of cybersecurity. Initial access may have been achieved through techniques such as phishing or exploiting software vulnerabilities, resulting in unauthorized entry into targeted systems. Once inside, the adversaries could have established persistence to maintain control over the networks and escalated their privileges to encrypt files effectively.

The scale and execution of this ransomware operation highlight the urgent need for organizations, especially those in the public sector, to bolster their cybersecurity defenses. As Gholinejad awaits sentencing, scheduled for August 2025, the repercussions of this incident remain a stark reminder of the evolving challenges faced by businesses in safeguarding against sophisticated cyber threats.

This case serves as a critical point of reflection for business owners and IT professionals alike, prompting a reassessment of security protocols and incident response strategies to mitigate the risks posed by ransomware attacks and other cyber threats in the current landscape. The stakes are high, and proactive measures are essential in navigating the complex and potentially devastating world of cybercrime.

Source link

Related Posts

ConnectWise Cyberattack: Nation-State Actor Suspected in Targeted Breach
May 30, 2025 | Vulnerability / Data Breach

ConnectWise, known for its remote access software ScreenConnect, has reported being targeted in a cyberattack believed to be orchestrated by a nation-state actor. On May 28, the company issued a brief advisory detailing that it had identified suspicious activity linked to the threat, which has affected a limited number of ScreenConnect customers. To investigate the incident further, ConnectWise has enlisted Google Mandiant for a forensic examination and has informed all impacted customers. While the company has not disclosed the specific number of affected customers, the timing of the breach, or the identity of the responsible party, it is important to note that just weeks prior, in late April 2025, ConnectWise addressed a high-severity vulnerability (CVE-2025-3935) with a CVSS score of 8.1 in ScreenConnect versions 25.2.3 and earlier.