Full Report
Sina Gholinejad pleaded guilty to two counts in a scheme that most visibly hit the city of Baltimore, causing $19 million in damages. The post Iranian man pleads guilty in Robbinhood ransomware scheme appeared first on CyberScoop.
Analysis Summary
# Incident Report: Robbinhood Ransomware Scheme and Guilty Plea
## Executive Summary
This report summarizes the Robbinhood ransomware scheme, which spanned from January 2019 through at least March of an unspecified year, culminating in the guilty plea of Iranian national Sina Gholinejad. The scheme deployed Robbinhood ransomware against numerous targets, including the city of Baltimore, resulting in over \$19 million in damages and disruption to essential public services. The response involved international law enforcement action, leading to Gholinejad's arrest in North Carolina and subsequent guilty plea on computer fraud and conspiracy charges.
## Incident Details
- **Discovery Date:** The scheme was active from January 2019, with the Baltimore attack being a notable, visible event prior to the indictment.
- **Incident Date:** Scheme began January 2019 and continued through at least March of the investigation period.
- **Affected Organization:** City of Baltimore, City of Greenville (NC), City of Yonkers (NY), various nonprofits, and medical groups.
- **Sector:** Government (Municipal), Healthcare, Nonprofit.
- **Geography:** United States (Baltimore, NC, NY), Actors based overseas (Iran).
## Timeline of Events
### Initial Access
- **Date/Time:** Began January 2019.
- **Vector:** Not explicitly detailed for all victims, but related to the deployment of the Robbinhood ransomware.
- **Details:** Co-conspirators carried out the malicious activities associated with the deployment.
### Lateral Movement
- **Details:** Not explicitly detailed in the provided text, but implied in the execution of a widespread ransomware campaign across diverse entities.
### Data Exfiltration/Impact
- **Details:** The primary impact was disruption of essential public services and significant financial costs, notably \$19 million for Baltimore. Extortion attempts were executed through ransomware deployment.
### Detection & Response
- **How it was discovered:** Implied detection occurred through the impact felt by victim organizations (e.g., Baltimore attack).
- **Response actions taken:** Authorities (Justice Department) investigated, leading to the indictment of Gholinejad and his co-conspirators. Gholinejad was arrested in North Carolina in January, and subsequently pleaded guilty.
## Attack Methodology
- **Initial Access:** Deployment of Robbinhood ransomware (specific initial vector not detailed).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Use of Virtual Private Networks (VPNs) and self-operated servers to hide identities and activities.
- **Credential Access:** Not detailed.
- **Discovery:** Gholinejad conducted online research related to the deployment of Robbinhood.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed, though ransom extortion implies data holding/encryption as the core collection/impact mechanism.
- **Exfiltration:** Not detailed (ransomware focused on encryption/denial of access).
- **Impact:** Deployment of ransomware leading to service disruption and financial loss via extortion.
## Impact Assessment
- **Financial:** Over \$19 million in costs incurred by the City of Baltimore alone; "tens of millions of dollars in losses" across all victims.
- **Data Breach:** Impact was primarily computational disruption/encryption via ransomware, not explicit exfiltration of non-encrypted data, though extortion implies data was held hostage.
- **Operational:** Disruption of essential public services in victimized cities and organizations.
- **Reputational:** Damage to targeted public entities due to service outages.
## Indicators of Compromise
- **Network indicators:** Use of infrastructure including Virtual Private Networks (VPNs) and self-operated servers.
- **File indicators:** Robbinhood ransomware strains utilized.
- **Behavioral indicators:** Attempted money laundering via:
- Cryptocurrency mixing services.
- "Chain-hopping" (moving assets between different types of cryptocurrencies).
## Response Actions
- **Containment measures:** Not detailed, likely involved isolating affected networks post-detection.
- **Eradication steps:** Not detailed in the context of the victims' response.
- **Recovery actions:** Baltimore incurred over \$19 million in costs, implying extensive recovery efforts. The overall response culminated in the legal action against the perpetrators.
## Lessons Learned
- **Key takeaways:** Coordinated international criminal activity persisted for years, targeting critical U.S. infrastructure, including municipalities and healthcare. Sophisticated money laundering techniques (mixing services, chain-hopping) were employed to obscure illicit funds.
- **What could have been done better:** Improved network security posture to prevent initial ransomware deployment across multiple city governments remains an underlying theme.
## Recommendations
- **Prevention measures for similar incidents:** Strengthen municipal and healthcare network defenses against known ransomware strains like Robbinhood. Implement robust security monitoring to detect the non-standard network traffic associated with VPN/server hide deployment and cryptocurrency laundering techniques. Enforce strict controls around cryptocurrency movements for any system that might interact with external funds.