In a significant development in the fight against international cybercrime, 37-year-old Iranian national Sina Gholinejad has pleaded guilty in a North Carolina federal court to charges stemming from a series of ransomware attacks that targeted U.S. city governments and private entities. These attacks, which utilized the RobbinHood ransomware variant, resulted in substantial financial losses and service disruptions across multiple municipalities.
The RobbinHood Ransomware Campaign
Beginning in January 2019, Gholinejad and his co-conspirators launched a sophisticated cyber operation deploying the RobbinHood ransomware to infiltrate and encrypt data on victim networks. The attackers then demanded ransom payments in exchange for decryption keys. Notably, the City of Baltimore suffered a severe attack in May 2019, leading to over $19 million in damages and prolonged service outages. Essential services, including online processing of property taxes, water bills, and parking citations, were rendered inaccessible for months. The attackers demanded 13 Bitcoins, approximately $76,000 at the time, to restore access to the encrypted systems. ([apnews.com](https://apnews.com/article/aab689b79d5c9eb4ea78c9a77a997ffd?utm_source=openai))
Other municipalities affected by the RobbinHood ransomware included Greenville, North Carolina; Gresham, Oregon; and Yonkers, New York. These attacks underscored the vulnerability of municipal systems to sophisticated cyber threats and highlighted the need for enhanced cybersecurity measures across public sector networks. ([reuters.com](https://www.reuters.com/world/us/iranian-man-pleads-guilty-us-2019-baltimore-ransomware-attack-2025-05-27/?utm_source=openai))
Technical Sophistication of RobbinHood Ransomware
RobbinHood ransomware is distinguished by its advanced technical capabilities. The malware employs a bring-your-own-vulnerability tactic, exploiting legitimate software to bypass security protections. Specifically, it utilizes a vulnerable Gigabyte motherboard driver (GDRV.SYS) with a known security flaw (CVE-2018-19320) to gain kernel-level access to victim systems. This approach allows the attackers to disable Windows driver signature enforcement temporarily, enabling the installation of their own malicious unsigned driver (RBNL.SYS). The secondary driver systematically eliminates antivirus and security software processes, facilitating unimpeded file encryption. ([techmonitor.ai](https://www.techmonitor.ai/technology/cybersecurity/robbinhood-ransomware-gigabyte-driver?utm_source=openai))
The encryption process employed by RobbinHood involves dual-layer encryption using AES for individual files and RSA-4096 for encrypting the AES keys, making decryption virtually impossible without the attackers’ private keys. Before initiating encryption, the malware disconnects all network shares, ensuring that each system is targeted individually. ([hstoday.us](https://www.hstoday.us/subject-matter-areas/cybersecurity/robbinhood-ransomware-campaign-targeting-government-networks/?utm_source=openai))
Arrest and Legal Proceedings
Gholinejad’s arrest at Raleigh-Durham International Airport on January 10, 2025, marked the culmination of an extensive international investigation involving multiple federal agencies. The case highlights the global reach of modern cybercrime, with conspirators operating sophisticated infrastructure, including virtual private networks, cryptocurrency mixing services, and chain-hopping techniques to launder Bitcoin payments. The prosecution relied heavily on international cooperation, with Bulgarian authorities providing crucial evidence collection assistance. ([reuters.com](https://www.reuters.com/world/us/iranian-man-pleads-guilty-us-2019-baltimore-ransomware-attack-2025-05-27/?utm_source=openai))
Facing a maximum sentence of 30 years in prison, Gholinejad’s guilty plea sends a clear message that geographic distance provides no sanctuary for cybercriminals targeting U.S. infrastructure. The FBI’s Charlotte Field Office led the investigation, with support from the Baltimore Field Office and the Justice Department’s National Security Cyber Section. ([apnews.com](https://apnews.com/article/aab689b79d5c9eb4ea78c9a77a997ffd?utm_source=openai))
Implications and Lessons Learned
The RobbinHood ransomware attacks serve as a stark reminder of the vulnerabilities present in municipal and organizational networks. The Baltimore incident, in particular, underscores the critical need for robust cybersecurity measures, including regular system updates, comprehensive data backup processes, and employee training to recognize and prevent phishing attempts. The financial and operational impacts of such attacks highlight the importance of proactive defense strategies to safeguard against increasingly sophisticated cyber threats. ([verizon.com](https://www.verizon.com/business/resources/articles/s/lessons-from-the-robbinhood-ransomware-attack-on-baltimore/?utm_source=openai))
As cybercriminals continue to evolve their tactics, the collaboration between international law enforcement agencies and the implementation of advanced cybersecurity protocols remain essential in mitigating the risks posed by ransomware and other forms of cyberattacks.
