An Iranian national has pleaded guilty to helping run the Robbinhood ransomware operation, which attacked U.S. city networks, healthcare providers, and nonprofit organizations over five years.
According to the U.S. Department of Justice, 39-year-old Sina Gholinejad, also known as “Sina Ghaaf,” and his group used the Robbinhood ransomware from January 2019 to March 2024 to steal data, encrypt devices, and demand Bitcoin ransoms.
Victims of the attacks included major cities like Baltimore (Maryland), Greenville (North Carolina), Gresham (Oregon), and Yonkers (New York), as well as healthcare and nonprofit organizations such as Meridian Medical Group and Berkshire Farm Center.
The group typically broke into networks using stolen administrator accounts or software vulnerabilities. They deployed the ransomware manually and left ransom notes asking victims to pay through dark web sites using the Tor network. In many cases, they threatened to leak stolen data unless a ransom was paid.
The Robbinhood gang became widely known in May 2019 when they disrupted Baltimore’s IT systems, causing major issues that lasted for weeks.
One unique tactic used by the gang was disabling antivirus protection by abusing a real, but vulnerable, Gigabyte driver (gdrv.sys). This allowed them to run their ransomware without being stopped by security software — a method known as a Bring Your Own Vulnerable Driver (BYOVD) attack.
To avoid being caught, the group used virtual private servers (VPS) in Europe, VPNs, and cryptocurrency mixers to hide their tracks.
Gholinejad pleaded guilty in a federal court in North Carolina. He now faces up to 30 years in prison for conspiracy to commit fraud, computer hacking, extortion, and money laundering.
