RobbinHood Ransomware Hacker Admits Guilt in U.S. Court

Baltimore recently suffered a significant ransomware attack that has garnered national attention, culminating in the guilty plea of Sina Gholinejad, a 37-year-old Iranian national. In a U.S. federal court in Raleigh, North Carolina, Gholinejad confessed to deploying Robbinhood ransomware that severely disrupted the city’s operations and incurred damages estimated at $19 million.

The attack, which took place on May 7, 2019, led to the compromise of the Baltimore city network, reflecting a concerning trend as public sector entities become prime targets for cybercriminals. Shortly prior to this incident, Gholinejad had executed a similar attack against Greenville, North Carolina, indicating a calculated campaign against U.S. municipalities.

Gholinejad faced charges of computer fraud and conspiracy to commit wire fraud, both of which could result in a potential sentence of up to 30 years. An indictment unsealed in April 2024 encompassed seven criminal counts against him. The fallout from the Baltimore attack prompted local officials to scramble for recovery funding, with the city council reallocating $6 million to address immediate needs, including over $10 million allocated for IT recovery efforts and $8.2 million in losses from delayed revenue streams.

City services, including online payment systems and tax verification processes, experienced prolonged disruptions as a direct consequence of the ransomware attack. As officials worked to implement manual workarounds, the local real estate market stagnated, further indicating the extensive ramifications of the incident.

During negotiations, hackers initially demanded 13 Bitcoins—valued at approximately $76,000 at the time—to restore the city’s compromised systems. Their attack leveraged vulnerabilities in the local IT infrastructure, as subsequent audits revealed that crucial files were stored locally on hard drives, lacking modern security measures. This weakness allowed the attackers to exploit systems with impressive efficacy.

The Robbinhood malware has impacted other entities, such as Gresham, Oregon, and Yonkers, New York, as well as a medical practice in New Jersey, with assaults persisting at least until March 2024. The Robbinhood group’s tactics included initial access via RDP brute-force attacks, exploiting weak credentials associated with local administrator accounts—tactics categorized under the MITRE ATT&CK framework. Additionally, they utilized privilege escalation techniques linked to vulnerabilities in hardware drivers, effectively compromising essential security protocols.

According to Microsoft, the attackers used a driver from Taiwanese company Gigabyte to initiate their access, centering around the CVE-2018-19320 vulnerability, which enabled them to bypass security measures. This method demonstrates the evolving nature of ransomware attacks and the sophisticated techniques cyber adversaries can employ to breach public sector defenses.

As the cybersecurity landscape continues to evolve, incidents like the Baltimore ransomware attack reinforce the urgent need for businesses and public institutions to strengthen their defenses against increasing threats. Comprehensive risk assessments and the adoption of enhanced security protocols are vital in safeguarding against similar future incidents.