Full Report
Sina Gholinejad admitted to using the Robbinhood ransomware variant to extort ransom payments from dozens of victims.
Analysis Summary
# Incident Report: Robbinhood Ransomware Campaign Targeting US Municipalities
## Executive Summary
Sina Gholinejad, an Iranian national, pleaded guilty for his role in a widespread ransomware campaign using the Robbinhood variant against numerous US victims, including municipalities in Maryland, New York, and Oregon, beginning in January 2019. The attacks caused tens of millions of dollars in losses, notably $19 million for the City of Baltimore, by taking essential services offline for months. The operation concluded with the arrest of Gholinejad in January 2024, following extensive collaboration with international partners.
## Incident Details
- **Discovery Date:** Ongoing detection and reporting throughout the campaign (2019–2024). The Baltimore incident was publicly disclosed in May 2019.
- **Incident Date:** Attacks began in January 2019 and continued until March 2024.
- **Affected Organization:** Dozens of victims, including the cities of Baltimore (MD), Greenville (NC), Gresham (OR), and Yonkers (NY), plus health care organizations and businesses.
- **Sector:** Government/Municipal Services, Healthcare, Business.
- **Geography:** United States (Maryland, New York, Oregon, North Carolina).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning January 2019 (for the start of the Robbinhood usage).
- **Vector:** Unspecified initial compromise vector allowing deployment of Robbinhood ransomware.
- **Details:** Gholinejad and co-conspirators deployed Robbinhood ransomware against victim networks.
### Lateral Movement
- **Details:** The context implies successful lateral movement was achieved to deploy the ransomware across municipal networks, disrupting essential functions.
### Data Exfiltration/Impact
- **Details:** The primary impact was encryption and service disruption; the context only explicitly mentions extortion threats against other governments, not specific large-scale data exfiltration, though extortion implies data compromise. Baltimore suffered disruption of basic functions for months.
### Detection & Response
- **How it was discovered:** Multiple incidents were eventually linked, culminating in investigations by the US Department of Justice. The Baltimore attack was publicly disclosed in May 2019.
- **Response actions taken:** Law enforcement investigation led to the perpetrator's arrest in January 2024 (detained in North Carolina), facilitated by assistance from Bulgarian officials. Gholinejad subsequently pleaded guilty to federal charges.
## Attack Methodology
- **Initial Access:** Not explicitly detailed, but involved gaining access to victim networks.
- **Persistence:** Not explicitly detailed, but access was maintained long enough to deploy ransomware across organizations.
- **Privilege Escalation:** Not explicitly detailed, but required to deploy ransomware across municipal systems.
- **Defense Evasion:** Not explicitly detailed, but necessary for a multi-year campaign against various entities.
- **Credential Access:** Implied, as ransomware deployment typically requires high-level access.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Implied, as malware spread across municipal IT infrastructure.
- **Collection:** Not explicitly detailed, though extortion was a goal.
- **Exfiltration:** Extortion threats were used, but details on exfiltration are sparse.
- **Impact:** Encryption of systems using Robbinhood ransomware, leading to service outages and financial loss.
## Impact Assessment
- **Financial:** Tens of millions of dollars in losses across all victims; specifically **$19 million** damage to the City of Baltimore alone.
- **Data Breach:** Implied compromise of municipal data, though the enforcement action focused on the ransomware and extortion.
- **Operational:** Critical disruption of essential public services for months, including revenue-generating municipal functions (Baltimore).
- **Reputational:** Damage to public trust in the targeted municipalities due to sustained service outages.
## Indicators of Compromise
*(Note: Specific IOCs were not detailed in the summary text, only the malware family.)*
- **Network indicators - defanged:** N/A
- **File indicators:** Robbinhood Ransomware variant.
- **Behavioral indicators:** Mass encryption leading to system outages and extortion demands.
## Response Actions
- **Containment measures:** Baltimore refused to pay the ransom, choosing to take hundreds of computers offline.
- **Eradication steps:** The ultimate eradication came through law enforcement action: the arrest and subsequent conviction of the perpetrator, Sina Gholinejad.
- **Recovery actions:** Baltimore officials spent months recovering from service disruptions.
## Lessons Learned
- **Key takeaways:** Ransomware campaigns targeting critical infrastructure and municipal services can persist for years, causing massive financial damage and significant operational disruption. Refusing to pay the ransom (as Baltimore did) is a stated policy, but recovery is costly and lengthy.
- **What could have been done better:** The scope of the attack (dozens of victims over 5 years) suggests current preventative security controls were insufficient against determined actors utilizing the Robbinhood variant.
## Recommendations
- Implement comprehensive endpoint detection and response (EDR) solutions across all municipal networks.
- Enforce strict network segmentation to limit lateral movement capabilities of ransomware payloads.
- Increase investment in proactive threat hunting, as the attack went undetected for several years across multiple targets.
- Bolster backup and disaster recovery strategies to reduce downtime following a successful encryption event.