On May 27, 2025, Iranian national Sina Gholinejad, 37, pleaded guilty in a North Carolina federal court to charges of computer fraud and conspiracy to commit wire fraud, admitting his central role in the international Robbinhood ransomware campaign that targeted U.S. cities, corporations, and healthcare organizations.
The attacks, spanning from January 2019 to March 2024, encrypted critical data and demanded Bitcoin ransoms, causing tens of millions of dollars in losses and prolonged disruptions to essential public services.
The most notorious of these incidents was the May 2019 attack on Baltimore, Maryland, which forced the city to disconnect hundreds of computers, crippled online payment portals for property taxes, water bills, and parking tickets, and cost the city over $19 million in recovery and lost revenue.
Other victims included Greenville, North Carolina; Gresham, Oregon; Yonkers, New York; and several nonprofit and healthcare entities.
Technical Details and Attack Chain
Robbinhood ransomware is notable for its targeted approach and sophisticated evasion techniques.
Attackers typically gained initial access via compromised administrator accounts or unpatched vulnerabilities, then manually deployed the ransomware payload across victim networks.
Key technical features of Robinhood include:
- Service Disruption: The malware issues commands to stop nearly 200 Windows services, including those for antivirus, databases, and mail servers, using code such as: text
cmd.exe /c sc.exe stop/y - Network Isolation: Disconnects all network shares to isolate infected machines: text
cmd.exe /c net use * /DELETE /Y - Data Encryption: For each file, Robinhood generates a unique AES key, then encrypts this key and the original filename with an RSA public key.
- Encrypted files are renamed as: text
Encrypted_[randomstring].enc_robbinhood - Persistence and Cleanup: The ransomware deletes shadow copies and event logs to prevent recovery and forensic analysis text
vssadmin.exe delete shadows /all /quiet wevtutil.exe cl Application - Defensive Evasion: A critical innovation was the use of a legitimate but vulnerable Gigabyte driver (CVE-2018-19320) to disable endpoint security software at the kernel level, bypassing even fully patched Windows systems.
Victims received ransom notes demanding Bitcoin payments—typically 3 BTC per machine or 13 BTC for an entire network—with threats of increased fees and permanent data loss if payment was delayed.
Financial Impact and Money Laundering
The Robinhood attacks inflicted severe financial and operational damage.
Baltimore alone spent over $19 million on recovery, while other cities and organizations faced similar multi-million-dollar losses.
The attackers laundered ransom payments through cryptocurrency mixing services and “chain-hopping,” moving assets between different cryptocurrencies to obscure the money trail.
To further evade detection, Gholinejad and his co-conspirators used virtual private networks (VPNs), virtual private servers (VPSs) in Europe, and Tor-hosted negotiation sites for ransom communications.
Risk Factors Table
| Risk Factor | Description | Impact Level |
|---|---|---|
| Vulnerable Remote Access | Exploitation of unpatched RDP services or weak credentials | High |
| Lack of Network Segmentation | Flat networks allowed lateral movement and manual deployment of ransomware | High |
| Outdated Security Software | Use of vulnerable drivers (e.g., Gigabyte CVE-2018-19320) to disable security defenses | Critical |
| Inadequate Backups | Insufficient or compromised backups prevented rapid recovery | High |
| Delayed Incident Response | Lack of disaster recovery plans extended downtime and losses | High |
| Cryptocurrency Payments | Use of Bitcoin and mixers facilitated anonymous ransom collection and laundering | High |
| Limited User Training | Social engineering and phishing increased initial compromise risk | Moderate |
Law Enforcement Response and Sentencing
Gholinejad was arrested at Raleigh-Durham International Airport in January 2025 and now faces up to 30 years in prison, with sentencing scheduled for August.
The U.S. Department of Justice, with support from the FBI and international partners, emphasized that cybercriminals targeting critical infrastructure and public services will be prosecuted regardless of their location.
The Robbinhood case underscores the evolving threat of ransomware-as-a-service and the urgent need for robust cybersecurity, regular patching, network segmentation, and comprehensive disaster recovery planning in both public and private sectors.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
