WASHINGTON – An Iranian national, Sina Gholinejad, 37, pleaded guilty today in federal court to his role in a sophisticated international ransomware and extortion conspiracy that utilized the notorious Robbinhood ransomware variant. The scheme inflicted tens of millions of dollars in financial losses and caused widespread disruption to essential public services in numerous U.S. cities and healthcare organizations. The guilty plea marks a significant victory for U.S. law enforcement and its international partners in the ongoing battle against global cybercrime.
According to court documents and statements made during the plea hearing, Gholinejad and his co-conspirators systematically compromised computer networks belonging to a wide array of victims. These included municipal governments, corporations, and critically, healthcare organizations across the United States. Once access was gained, the conspirators deployed the Robbinhood ransomware, encrypting vital files and effectively paralyzing victim networks. They then extorted ransom payments, primarily in Bitcoin, in exchange for the decryption keys necessary to restore access to the compromised data.
The devastating impact of these cyberattacks was starkly illustrated by the case of the City of Baltimore, Maryland, which suffered losses exceeding $19 million. This figure encompasses not only the direct costs of network damage and remediation but also the prolonged disruption to essential city services. For many months, Baltimore struggled with impairments to online systems for processing property taxes, water bills, parking citations, and other crucial revenue-generating functions. The attackers brazenly used the well-publicized damage inflicted upon Baltimore and other early victims as a psychological weapon to coerce subsequent targets into paying ransoms.
“Gholinejad and his co-conspirators — all of whom were overseas — caused tens of millions of dollars in losses and disrupted essential public services by deploying the Robbinhood ransomware against U.S. cities, health care organizations, and businesses,” stated Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The ransomware attack against the City of Baltimore forced the city to take hundreds of computers offline and prevented the city from performing basic functions for months. Gholinejad’s conviction reflects the Criminal Division’s commitment to bringing cybercriminals who target our cities, healthcare system, and businesses to justice no matter where they are located. There will be no impunity for these destructive attacks.”
Acting U.S. Attorney Daniel P. Bubar for the Eastern District of North Carolina echoed these sentiments: “Cybercrime is not a victimless offense — it is a direct attack on our communities, as seen in this case. Gholinejad and his co-conspirators orchestrated a ransomware scheme that disrupted lives, businesses, and local governments, and resulted in losses of tens of millions of dollars from unsuspecting victims and institutions. The announcement today marks a significant step towards justice for the countless victims impacted by the defendant’s malicious scheme. Cases like these act as a reminder that cybercriminals who seek to exploit our digital infrastructure for personal gain will be identified, prosecuted, and held accountable.”
The Robbinhood Ransomware: A Technical Menace
The Robbinhood ransomware, sometimes misspelled with two ‘b’s (“Robbinhood”), emerged as a significant threat around March 2019, with its activity observed as late as November 2020. It is recognized as a ransomware “family” due to versioning indicated in the debug paths of its encryptor executables, with the last known version being Robbinhood7.
Encryption Methodology and Operational Tactics:
Robbinhood employs a hybrid encryption scheme, utilizing the Advanced Encryption Standard (AES) to encrypt individual files and the RSA algorithm to encrypt the AES key itself. Specifically, many variants use AES−256 for file encryption and RSA−4096 for key encryption, though some analyses suggest RSA−1024 public keys were also functional. A peculiar characteristic of many Robbinhood encryptors is their requirement for an RSA public key file, typically named key.pub, to be present in the C:/Windows/Temp/ directory before encryption can commence. If this file is absent, the encryption process will not initiate, a detail that some researchers noted could potentially be exploited as an early-stage kill switch if a dummy file with restricted permissions were placed there.
The ransomware typically drops four HTML ransom notes in nearly every affected directory, with common names like _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html. These notes demand ransom payments in Bitcoin, with amounts varying. Some demands were 0.8 BTC per affected system or 13 BTC for all systems, while others specified 3 BTC per system and 7 BTC for the entire network. A particularly aggressive tactic was the threat of increasing the ransom by $10,000 daily after the fourth day of nonpayment. Encrypted files are often renamed with extensions like .enc_robbin_hood, .enc_robbinhood, or .rbhd appended to a random alphanumeric string.
Disabling Defenses: The GIGABYTE Driver Exploit (CVE-2018-19320)
A critical component of the Robbinhood operators’ tactics, techniques, and procedures (TTPs) involved the exploitation of a legitimate, signed GIGABYTE kernel driver (gdrv.sys). This driver contained a known vulnerability, CVE-2018-19320, which allowed for privilege escalation. The attackers leveraged this vulnerability to disable Microsoft’s driver signature enforcement feature. This maneuver enabled them to load a second, malicious unsigned kernel driver (often named rbnl.sys). This malicious driver was then used to terminate security processes and delete associated files, effectively blinding antivirus and endpoint detection and response (EDR) solutions before the final ransomware encryptor was deployed. This sophisticated method of bypassing security measures highlights the attackers’ technical capabilities and their understanding of operating system internals. The use of a legitimate, albeit vulnerable, signed driver to load a malicious one is a clear indication of the lengths these cybercriminals will go to ensure their payload executes successfully. While GIGABYTE had reportedly discontinued the vulnerable driver, its certificate had not been revoked at the time of some analyses, leaving systems susceptible.
System Disruption and Propagation:
Robbinhood, typically coded in the Go programming language, is not known for self-propagation within a network like some wormable ransomware strains. Instead, it appears to be deployed on individual machines after an initial network breach, often using tools like PsExec or leveraging compromised domain controllers. This suggests a “human-operated ransomware” model, where attackers manually navigate the network, identify high-value targets, and then deploy the ransomware. The malware actively works to hinder recovery by deleting Windows shares (via cmd.exe /c net use * /DELETE /Y) and stopping numerous Windows services associated with antivirus software, databases, and mail servers to facilitate unimpeded encryption. It also employs functions, sometimes crudely named like “ShadowFucks” and “RecoveryFCK,” to delete volume shadow copies and disable system recovery options, making restoration from local backups extremely difficult.
The International Conspiracy and Gholinejad’s Role
The conspiracy led by Sina Gholinejad began its operations in or around January 2019. Gholinejad and his unnamed co-conspirators, all operating from overseas, demonstrated a sophisticated understanding of network intrusion, data exfiltration, encryption, and money laundering techniques.
Modus Operandi:
- Unauthorized Access and Data Exfiltration: The group would first gain and maintain unauthorized access to victim computer networks. This initial access was often achieved through methods like exploiting vulnerabilities in public-facing infrastructure or using stolen credentials, common vectors in ransomware attacks. Once inside, they would copy sensitive information from the infected networks to virtual private servers (VPS) under their control. This data exfiltration served as a secondary extortion tactic, a hallmark of “double extortion” ransomware schemes where attackers threaten to leak stolen data if the ransom for decryption is not paid.
- Ransomware Deployment: After exfiltrating data, the conspirators deployed the Robbinhood ransomware to encrypt the victims’ files, rendering their systems inoperable.
- Extortion: Victims were then presented with ransom demands, payable in Bitcoin, for the decryption key. The amounts demanded were substantial, reflecting the critical nature of the targeted systems.
- Money Laundering and Anonymization: To obscure their identities and the flow of illicit funds, Gholinejad and his associates employed several technical methods. These included using cryptocurrency mixing services (tumblers) to break the chain of transactions, a practice known as “chain-hopping” by moving assets between different types of cryptocurrencies, and leveraging virtual private networks (VPNs) and servers they operated to hide their activities.
The indictment against Gholinejad (Case 5:22-CR-291-D, filed in the Eastern District of North Carolina) details these activities, charging him with one count of conspiracy to commit wire fraud (18 U.S.C. § 1349) and one count of conspiracy to commit fraud and related activity in connection with computers (18 U.S.C. § 371, referencing 18 U.S.C. § 1030(a)(5)(A)). The indictment specifically alleges that Gholinejad participated in selecting victim systems, deploying the ransomware, and laundering the proceeds. While the indictment does not name all co-conspirators, it refers to them as “others known and unknown to the Grand Jury”.
Devastating Impact on U.S. Cities and Healthcare
The Robbinhood ransomware campaign orchestrated by Gholinejad and his co-conspirators left a trail of significant financial damage and severe disruption to public services across the United States. The attacks were not indiscriminate; they targeted critical infrastructure, including municipal governments and healthcare organizations, maximizing pressure on victims to pay ransoms.
Notable Victims and Reported Losses:
| Victim Entity | Reported Impact | Estimated Financial Loss/Cost | Snippet Citations |
|---|---|---|---|
| City of Baltimore, MD | Major disruption to essential city services for months, including property tax processing, water bills, parking citations, and other revenue functions. Hundreds of computers taken offline. | Over $19 million | |
| City of Greenville, NC | Significant disruptions and financial losses. Systems offline for extended periods, impacting city operations. Ransom was reportedly not paid; city opted to restore from backups. | Millions of dollars (implied) | |
| City of Gresham, OR | Identified in the indictment as a victim of Robbinhood ransomware, implying significant disruption and financial impact. | Not specified in release | |
| City of Yonkers, NY | Identified in the indictment as a victim. Reports indicate the city refused to pay ransom and restored from backups, experiencing operational disruptions. | Not specified in release | |
| Healthcare Organizations | The scheme targeted healthcare organizations, causing significant disruptions. The healthcare sector is a prime target due to the critical nature of its services and the sensitive data it holds. | Tens of millions (aggregate) | |
| Other Corporations/Entities | The indictment mentions corporations and other entities were also victimized. | Tens of millions (aggregate) |
The attack on the City of Baltimore in May 2019 was particularly severe and well-documented. The city’s IT systems were crippled for weeks, impacting real estate transactions, email communications, and online payment portals. The total cost to Baltimore, including recovery and lost revenue, eventually exceeded $18 million, with some sources citing $19 million as per the DOJ release. The attackers initially demanded 13 Bitcoin (approximately $76,280 at the time). Baltimore’s decision not to pay the ransom, while aligning with FBI recommendations, led to a protracted and costly recovery process.
The City of Greenville, North Carolina, was struck in April 2019, prior to the Baltimore attack. While specific financial loss figures for Greenville are not detailed in the DOJ release, the impact was described as causing “operational delays and millions of dollars in losses”. The city reportedly experienced downtime for at least two weeks and opted to restore from backups rather than pay the ransom.
The indictment also names the City of Gresham, Oregon, and the City of Yonkers, New York, as victims, underscoring the nationwide reach of this ransomware campaign. The City of Yonkers, attacked in September 2021 (though the indictment links Gholinejad’s activity to 2019-2020), also refused to pay a ransom and focused on restoring data from backups, leading to manual processing of city services.
The targeting of healthcare organizations is a deeply concerning aspect of this scheme. Ransomware attacks on healthcare providers can have life-threatening consequences, disrupting patient care, delaying critical procedures, and compromising sensitive patient data. While specific healthcare victims of the Robbinhood scheme are not named in the press release, the acknowledgment of their targeting emphasizes the indiscriminate and dangerous nature of such cyberattacks. The healthcare sector remains a highly attractive target for ransomware groups due to the critical need for immediate data access and often, perceived weaker security postures in smaller facilities.
The collective financial toll of “tens of millions of dollars” and the severe disruption to public services highlight the profound economic and societal damage these attacks can inflict. The attackers leveraged the success of their initial high-profile attacks to intimidate subsequent victims, creating a climate of fear and increasing the pressure to pay.
Investigation and International Cooperation: Bringing Cybercriminals to Justice
The successful prosecution of Sina Gholinejad is a testament to the dedication of U.S. law enforcement agencies and the critical importance of international cooperation in combating transnational cybercrime.
“These ransomware actors leveraged sophisticated tools and tradecraft to harm innocent victims in the United States, all while believing they could conduct their illegal activities safely from overseas,” said Acting Special Agent in Charge James C. Barnacle Jr. of the FBI’s Charlotte Field Office. “This case demonstrates the capability and resolve of the FBI and our partners to find and impose consequences on cybercriminals no matter where they attempt to hide.”
The investigation was led by the FBI Charlotte Field Office, with substantial assistance from the FBI Baltimore Field Office. The complex nature of cybercrime, where perpetrators and victims are often in different jurisdictions, necessitates robust international partnerships. In this case, the Justice Department explicitly extended its thanks to international judicial and law enforcement partners in Bulgaria for providing valuable assistance with the collection of evidence. This cooperation was crucial in piecing together the evidence needed to secure Gholinejad’s conviction. The Justice Department’s Office of International Affairs also played a significant role in facilitating this evidence collection.
While details of Gholinejad’s apprehension are not provided in the press release, the fact that an Iranian national involved in overseas operations has pleaded guilty in a U.S. court underscores the reach and persistence of U.S. authorities in pursuing such cases. Bulgaria’s cooperation in this specific Robbinhood ransomware investigation highlights a growing trend of international collaboration to dismantle cybercriminal networks. Such partnerships are indispensable for overcoming jurisdictional challenges, gathering digital evidence across borders, and ultimately holding perpetrators accountable.
The prosecution team includes Senior Counsels Aarash A. Haghighat and Ryan K. J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Bradford DeVoe for the Eastern District of North Carolina. Valuable assistance was also provided by Trial Attorney Alexandra Cooper-Ponte of CCIPS and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section.
Sentencing and the U.S. Sentencing Guidelines
Sina Gholinejad pleaded guilty to one count of computer fraud and abuse (specifically, conspiracy to commit fraud and related activity in connection with computers under 18 U.S.C. § 371, referencing 18 U.S.C. § 1030(a)(5)(A)) and one count of conspiracy to commit wire fraud (18 U.S.C. § 1349). He faces a maximum penalty of 30 years in prison and is scheduled to be sentenced in August. A federal district court judge will determine the final sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
The U.S. Sentencing Guidelines, particularly §2B1.1 which covers offenses involving fraud and deceit, will play a crucial role in determining Gholinejad’s sentence. A key factor under §2B1.1 is the “loss amount”. The guidelines define loss as the greater of actual loss or intended loss. Given that the Robbinhood scheme caused “tens of millions of dollars in losses,” this will likely result in a significant offense level increase.
For instance, under §2B1.1(b)(1):
- Losses exceeding $9,500,000 but not more than $25,000,000 result in an increase of 20 levels.
- Losses exceeding $25,000,000 but not more than $65,000,000 result in an increase of 22 levels.
The press release states Baltimore alone lost over $19 million, and the total scheme caused “tens of millions” in losses. If the total loss is determined to be in the $25 million to $65 million range, this would correspond to a 22-level increase to the base offense level. Other factors that could influence the sentencing include the number of victims (described as “cities, corporations, health care organizations, and other entities”), the sophistication of the scheme (use of cryptocurrency mixers, VPNs, compromised drivers), Gholinejad’s role in the offense, and whether the offense involved critical infrastructure or was committed from abroad. The exploitation of sophisticated tools and tradecraft, as mentioned by Acting Special Agent in Charge James C. Barnacle Jr., could also be an aggravating factor. The court will make a reasonable estimate of the loss, which includes reasonably foreseeable pecuniary harm that resulted from the offense. For offenses under 18 U.S.C. § 1030, actual loss includes reasonable costs to victims for responding to the offense, conducting damage assessments, and restoring data, programs, systems, or information.
The Broader Context: Ransomware Trends and Global Efforts
The Robbinhood ransomware scheme, active primarily in 2019 and 2020, aligns with several broader trends observed in the global ransomware landscape. The targeting of critical infrastructure, including municipalities and healthcare, became increasingly prevalent during this period and continues to be a major concern. Such targets are often perceived as more likely to pay ransoms due to the severe consequences of service disruption.
The Robbinhood group’s TTPs, such as exploiting known vulnerabilities (like the GIGABYTE driver) and disabling security software, are common tactics employed by various ransomware families, including notorious groups like Ryuk, Conti, and LockBit. While Robbinhood itself was not typically described as a Ransomware-as-a-Service (RaaS) operation in the same vein as LockBit, its operators demonstrated a high level of sophistication comparable to these major threat actors. The use of data exfiltration for double extortion, also seen with Robbinhood, has become a standard tactic for many ransomware groups.
Globally, ransomware attacks surged in 2024, with an 11% increase in published attacks compared to 2023, totaling 5,414 worldwide. The U.S. remained the most targeted country. The business services, retail, and manufacturing sectors were heavily impacted, though the construction industry saw a significant rise in attacks. High-value sectors like critical infrastructure, healthcare, telecommunications, and financial services continue to be prime targets, with ransom demands reaching unprecedented levels. The rise of RaaS models has democratized ransomware, allowing less skilled affiliates to launch sophisticated attacks.
The motivations behind ransomware attacks are also evolving. While financial gain remains primary for many criminal groups, state-linked actors are increasingly using ransomware for strategic objectives, including political pressure, espionage, and disruption, sometimes using financial motives as a cover. Iran-linked groups, for instance, have a history of disruptive cyber operations and have incorporated ransomware into their toolkit, sometimes prioritizing psychological impact or plausible deniability over direct financial extortion.
Protecting Against Ransomware: Guidance from StopRansomware.gov
In light of the persistent and evolving threat posed by ransomware, the Department of Justice strongly encourages individuals and organizations to visit StopRansomware.gov. This central U.S. government website provides a wealth of resources, guidance, and best practices to help defend against ransomware attacks and know what steps to take if an attack occurs.
Key recommendations from StopRansomware.gov and the associated CISA #StopRansomware Guide include:
- Maintain Offline, Encrypted, and Regularly Tested Backups: This is often the most critical defense, allowing organizations to restore data without paying a ransom.
- Implement Good Cyber Hygiene: This includes conducting regular vulnerability scanning, especially on internet-facing devices, and promptly patching software and operating systems.
- Utilize Phishing-Resistant Multi-Factor Authentication (MFA): MFA should be enforced for all services, particularly for email, VPNs, and accounts accessing critical systems.
- Secure Remote Access: Limit and secure Remote Desktop Protocol (RDP) and other remote access services. Implement strong passwords, account lockout policies, and logging for remote connections.
- Develop and Exercise an Incident Response Plan: Having a well-documented and regularly practiced incident response plan is crucial for effective and timely action during an attack.
- Employ Network Segmentation and Zero Trust Principles: These measures can help contain the spread of ransomware and limit an attacker’s lateral movement within a network.
- Conduct Employee Training: Educate employees on recognizing phishing attempts, social engineering tactics, and the importance of strong password security.
Victims of ransomware are urged to report incidents immediately to federal law enforcement through the Internet Crime Complaint Center (IC3), their local FBI field office, or their local U.S. Secret Service field office. Reporting can help authorities investigate the crime, potentially recover stolen funds, and prevent future attacks. The proactive guidance available through StopRansomware.gov, combined with robust law enforcement action, forms a critical part of the U.S. government’s strategy to combat the pervasive threat of ransomware.
Conclusion: A Milestone in the Fight Against Cyber Extortion
The guilty plea of Sina Gholinejad represents a significant milestone in the relentless efforts of the U.S. Department of Justice and its partners to dismantle international ransomware syndicates like the one behind the Robbinhood attacks. It sends a clear message that cybercriminals, regardless of their location, will be pursued and held accountable for the extensive damage they inflict on individuals, businesses, and critical public infrastructure.
This case underscores the crucial role of international cooperation in tackling borderless cyber threats and highlights the sophisticated capabilities of law enforcement in investigating complex digital crimes, including the tracing of cryptocurrency and the attribution of malicious online activity. As Gholinejad awaits sentencing, the broader fight against ransomware continues. The Justice Department remains committed to leveraging all available tools to disrupt these criminal enterprises and to support victims through resources like StopRansomware.gov, empowering them to build stronger defenses against this ever-evolving menace.
The indictment against Sina Gholinejad can be viewed here.
Contact: Office of Public Affairs U.S. Department of Justice (202) 514-2007 www.justice.gov/opa
About the U.S. Department of Justice Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS): CCIPS is responsible for implementing the Department’s national strategies in combating computer crime and intellectual property offenses worldwide. CCIPS prevents, investigates, and prosecutes computer crimes by working with federal prosecutors, international partners, other government agencies, and the private sector.
About the U.S. Attorney’s Office for the Eastern District of North Carolina: The U.S. Attorney’s Office for the Eastern District of North Carolina is responsible for prosecuting federal crimes in the district, including cybercrime, fraud, and public corruption.
About the Federal Bureau of Investigation (FBI): The FBI is the principal investigative arm of the U.S. Department of Justice. Its mission is to protect and defend the United States against terrorist and foreign intelligence threats, to uphold and enforce the criminal laws of the United States, and to provide leadership and criminal justice services to federal, state, municipal, and international agencies and partners.
