A RobbinHood Attack Against Baltimore Cost City $19 Million
An Iranian national behind a spate of ransomware attacks against U.S. municipalities including an attack that cost the city of Baltimore $19 million pleaded guilty in U.S. federal court Tuesday afternoon.
See Also: OnDemand | Navigate the threat of AI-powered cyberattacks
The man, Sina Gholinejad, 37, admitted in a Raleigh, N.C. federal court to deploying Robbinhood ransomware onto the Baltimore in network, just weeks after a similar attack against the city of Greenville, N.C.
He pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, charges that could lead to a maximum sentence of 30 years, prosecutors said. A grand jury indicted Gholinejad on seven criminal counts in April 2024.
The Baltimore incident vaunted RobbinHood ransomware operators into mainstream awareness as the city struggled for months after the May 7, 2019 attack to restore city services such as online payment processing and city tax lien verification. The local real estate market seized up until city officials implemented manual workarounds.
City officials calculated the bill for full recovery was at least $18.2 million – an amount that led the city council in August 2019 to transfer $6 million from parks and public facilities to pay for the effort, reported the Baltimore Sun. Officials said the figure included $10 million in direct IT recovery and $8.2 million in lost or delayed revenue from property taxes, real estate fees and some fines.
Hackers demanded 13 Bitcoins – then worth roughly $76,000 – to decrypt all the systems.
Ransomware hackers may have succeeded beyond expectations in crippling city functions since an audit later disclosed the IT department kept all files stored locally on hard drives.
Other victims of Robbinhood malware include the city of Gresham, OR, Yonkers, NY and a New Jersey medical practice. Attacks continued through at least March 2024.
Microsoft in 2020 wrote that RobbinHood hackers loaded a driver used to control hardware made by Taiwanese company Gigabyte onto victim computers. The driver contained a vulnerability tracked as CVE-2018-19320 allowing escalation of privilege, letting attackers gain access to the kernel. RobbinHood operators used that access to load an unsigned driver that disabled security products.
The start of a RobbinHood attack was much less complex, Microsoft also wrote. “They typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords and service accounts with domain admin privileges.”
