May 28, 2025Ravie LakshmananRansomware / Data Breach

An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware.

Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and encrypted files with Robbinhood ransomware to demand Bitcoin ransom payments.

Gholinejad, who was arrested in North Carolina in early January, pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces a maximum penalty of 30 years in prison. He is scheduled for sentencing in August 2025.

“These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland,” the U.S. Department of Justice (DoJ) said.

“Baltimore lost more than $19 million from the damage caused to their computer networks and the resulting disruption to several essential city services, including online services for processing property taxes, water bills, parking citations, and other revenue-generating functions, which lasted many months.”

According to court documents, Gholinejad and others infiltrated and maintained unauthorized access to victim computer networks between January 2019 and March 2024, after which sensitive information was copied to virtual private servers under their control and deployed the ransomware strain.

The ill-gotten proceeds were laundered through cryptocurrency mixing services and by moving assets between different types of cryptocurrencies, a technique known as chain-hopping. The threat actors also concealed their identities and activities by using virtual private networks and servers.

Robbinhood was one of the cybercrime actors to latch onto bring your own vulnerable driver (BYOVD) attacks, employing a legitimate but vulnerable Gigabyte driver (gdrv.sys) to escalate privileges and disarm security software.

“Cybercrime is not a victimless offense – it is a direct attack on our communities, as seen in this case. Gholinejad and his co-conspirators orchestrated a ransomware scheme that disrupted lives, businesses, and local governments, and resulted in losses of tens of millions of dollars from unsuspecting victims and institutions,” said acting U. S. Attorney Daniel P. Bubar for the Eastern District of North Carolina.