Iranian National Admits Guilt in RobbinHood Ransomware Attacks, Potential 30-Year Sentence Imminent
An Iranian national has admitted to his involvement in the RobbinHood ransomware operation, which targeted U.S. cities and organizations over five years, leading to data breaches, device encryption, and attempts to extort millions of dollars.
According to the U.S. Department of Justice and a recently unsealed indictment, Sina Gholinejad, 39, also known as “Sina Ghaaf,” and his accomplices carried out RobbinHood ransomware attacks from at least January 2019 to March 2024.
The ransomware assaults affected numerous local governments, healthcare providers, and nonprofit organizations, resulting in encrypted files and ransom demands in Bitcoin for the provision of decryption keys and to avert data leaks.
Notable victims included the cities of Baltimore, Greenville (North Carolina), Gresham (Oregon), and Yonkers (New York), along with entities such as Meridian Medical Group and Berkshire Farm Center.
Gholinejad and his associates often accessed networks using compromised administrator accounts or exploiting vulnerabilities, manually executed the ransomware, and required payments via Tor dark web platforms.
The RobbinHood gang rose to prominence in May 2019 when they severely disrupted Baltimore’s IT systems for weeks.
In subsequent operations, the group also engaged in data theft, leveraging stolen information and the threat of leaks to exert additional pressure on victims.
The methodology of RobbinHood distinguished itself by utilizing a legitimate yet vulnerable Gigabyte driver (gdrv.sys) in Bring Your Own Vulnerable Driver (BYOVD) attacks, which disabled antivirus solutions. This tactic enabled the launch of the ransomware encryption process without interference from security measures.
The ransom notes that were left on infected devices directed victims to communicate through Tor sites for ransom negotiations.
The indictment outlines how the attackers employed virtual private servers in Europe, VPNs, and cryptocurrency mixers to evade detection by law enforcement authorities.
Gholinejad has pleaded guilty in a North Carolina federal court and faces a maximum sentence of 30 years in prison for conspiracy to commit fraud, computer intrusion, extortion, and money laundering.