Full Report
An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware. Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and encrypted files with Robbinhood ransomware to demand Bitcoin ransom payments.
Analysis Summary
# Incident Report: Robbinhood Ransomware Attack on Baltimore
## Executive Summary
An Iranian national, Sina Gholinejad, pleaded guilty in the U.S. for his role in an international extortion scheme utilizing the Robbinhood ransomware. The attacks infiltrated the networks of various U.S. organizations, including the City of Baltimore and the City of Greenville, causing significant operational disruption and tens of millions of dollars in losses, notably over $19 million for Baltimore. The response resulted in the arrest and conviction of one key perpetrator, highlighting the severe impact of ransomware on municipal infrastructure.
## Incident Details
- **Discovery Date:** Implied between January 2019 and March 2024 (period of unauthorized access).
- **Incident Date:** Attacks occurred between January 2019 and March 2024.
- **Affected Organization:** City of Baltimore, Maryland; City of Greenville, North Carolina; and other unnamed organizations.
- **Sector:** Government/Municipal Services.
- **Geography:** United States (specifically North Carolina and Maryland).
## Timeline of Events
### Initial Access
- **Date/Time:** Between January 2019 and March 2024.
- **Vector:** Infiltration and maintenance of unauthorized access to victim computer networks.
- **Details:** The group successfully breached target networks, maintaining persistent unauthorized access for several years.
### Lateral Movement
- **Details:** Threat actors copied sensitive information to virtual private servers under their control before deploying ransomware. (Specific lateral movement techniques are not detailed, but multi-year access implies significant internal navigation.)
### Data Exfiltration/Impact
- **Date/Time:** Prior to ransomware deployment (sometime before March 2024).
- **Impact:** Sensitive information was copied (data exfiltration occurred before encryption). The primary impact was file encryption via Robbinhood ransomware, leading to long-lasting disruption of essential city services in Baltimore (e.g., processing property taxes, water bills, parking citations).
### Detection & Response
- **Detection:** The specific detection method is not detailed, but the subsequent investigation led to the arrest of Sina Gholinejad in North Carolina in early January (Year not explicitly stated, but prosecution occurred subsequently).
- **Response Actions:** The U.S. Department of Justice (DoJ) pursued criminal charges, resulting in a guilty plea from Gholinejad to computer fraud and conspiracy to commit wire fraud.
## Attack Methodology
- **Initial Access:** Infiltration of victim computer networks (specific initial vector undisclosed).
- **Persistence:** Maintained unauthorized access between January 2019 and March 2024.
- **Privilege Escalation:** Employed Bring Your Own Vulnerable Driver (BYOVD) attacks, specifically leveraging a legitimate but vulnerable Gigabyte driver (`gdrv.sys`) to escalate privileges.
- **Defense Evasion:** The use of the vulnerable driver also served to disarm security software. Threat actors utilized Virtual Private Networks (VPNs) and servers to conceal identities and activities.
- **Credential Access:** Implied, necessary to move laterally and copy data.
- **Discovery:** Implied, necessary to map networks and identify sensitive data.
- **Lateral Movement:** Implied, required to access various systems within the victim networks.
- **Collection:** Sensitive information was copied to virtual private servers under their control.
- **Exfiltration:** Data was copied to attacker-controlled virtual private servers. Financial proceeds were laundered using cryptocurrency mixing services and chain-hopping between different cryptocurrencies.
- **Impact:** Deployment of Robbinhood ransomware, leading to encryption of files and operational shutdown of essential municipal revenue and service functions.
## Impact Assessment
- **Financial:** Over $19 million in losses for the City of Baltimore alone; tens of millions in losses across all victims, including the City of Greenville.
- **Data Breach:** Sensitive information was copied (type and volume not specified, but involved municipal operational data).
- **Operational:** Significant disruption to several essential city services in Baltimore (property tax processing, water bill processing, parking citations) that lasted for many months.
- **Reputational:** Publicized attacks against local governments, impacting public trust in essential services.
## Indicators of Compromise
*Note: IOCs provided in the source are generally technical artifacts related to the malware or laundering methods.*
- **Network indicators (Defanged):** Use of Virtual Private Networks (VPNs) and virtual private servers for obfuscation.
- **File indicators:** Robbinhood ransomware strain utilized. Vulnerable Gigabyte driver (`gdrv.sys`) used for privilege escalation.
- **Behavioral indicators:** Deployment of ransomware following data staging on attacker-controlled VPS; use of cryptocurrency mixing services and chain-hopping for money laundering.
## Response Actions
- **Containment:** Not explicitly detailed, but the arrest and subsequent guilty plea represent the successful dismantling of the operation involving the named individual.
- **Eradication:** Implied removal of unauthorized access and malware persistence mechanisms once detection occurred.
- **Recovery:** The victims (e.g., Baltimore) had to spend months recovering essential revenue-generating and public service functions.
## Lessons Learned
- The successful long-term compromise (2019–2024) emphasizes the critical need for continuous network monitoring and rapid detection capabilities, especially concerning long-dwelling threats.
- The adoption of advanced evasion techniques like BYOVD (using the vulnerable Gigabyte driver) highlights the threat posed by threat actors leveraging legitimate (but vulnerable) third-party software to bypass security controls.
- Ransomware deployment against critical municipal infrastructure causes severe, long-lasting disruption to core public services.
## Recommendations
- Implement enhanced patch management focusing not only on operating systems but also on third-party firmware/drivers (like Gigabyte's `gdrv.sys` or similar low-level components) to mitigate BYOVD risks.
- Enhance network segmentation to limit potential lateral movement following initial access, especially in critical municipal environments.
- Review and strengthen defenses against long-term unauthorized access, employing regular internal threat hunting and auditing of network activity to detect multi-year persistence.