From the U.S. Department of Justice:
An Iranian national pleaded guilty today to participating in an international ransomware and extortion scheme involving the Robbinhood ransomware.
According to court documents and statements made in court, Sina Gholinejad, 37, and his co-conspirators compromised the computer networks of cities, corporations, health care organizations, and other entities around the United States, and encrypted files on these victim networks with the Robbinhood ransomware variant to extort ransom payments. These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland. Baltimore lost more than $19 million from the damage caused to their computer networks and the resulting disruption to several essential city services, including online services for processing property taxes, water bills, parking citations, and other revenue-generating functions, which lasted many months. The conspirators used the damage they caused these cities to threaten subsequent victims.
“Gholinejad and his co-conspirators — all of whom were overseas — caused tens of millions of dollars in losses and disrupted essential public services by deploying the Robbinhood ransomware against U. S. cities, health care organizations, and businesses,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The ransomware attack against the City of Baltimore forced the city to take hundreds of computers offline and prevented the city from performing basic functions for months. Gholinejad’s conviction reflects the Criminal Division’s commitment to bringing cybercriminals who target our cities, healthcare system, and businesses to justice no matter where they are located. There will be no impunity for these destructive attacks.”
“Cybercrime is not a victimless offense — it is a direct attack on our communities, as seen in this case. Gholinejad and his co-conspirators orchestrated a ransomware scheme that disrupted lives, businesses, and local governments, and resulted in losses of tens of millions of dollars from unsuspecting victims and institutions,” said acting U. S. Attorney Daniel P. Bubar for the Eastern District of North Carolina. “The announcement today marks a significant step towards justice for the countless victims impacted by the defendant’s malicious scheme. Cases like these act as a reminder that cybercriminals who seek to exploit our digital infrastructure for personal gain will be identified, prosecuted, and held accountable.”
“These ransomware actors leveraged sophisticated tools and tradecraft to harm innocent victims in the United States, all while believing they could conduct their illegal activities safely from overseas,” said Acting Special Agent in Charge James C. Barnacle Jr. of the FBI’s Charlotte Field Office. “This case demonstrates the capability and resolve of the FBI and our partners to find and impose consequences on cybercriminals no matter where they attempt to hide.”
Beginning in January 2019, Gholinejad and others gained and maintained unauthorized access to victim computer networks and then copied information from the infected victim networks to virtual private servers controlled by the conspirators. The conspirators also deployed Robbinhood ransomware to encrypt the victims’ files and extort Bitcoin from victims in exchange for the private key required to decrypt the victims’ computer files.
Gholinejad and his co-conspirators attempted to launder the ransom payments through cryptocurrency mixing services and by moving assets between different types of cryptocurrencies, a practice known as chain-hopping. They also hid their identities and activities through a number of technical methods, including the use of virtual private networks and servers that they operated. The indictment identifies multiple additional victims of Robbinhood ransomware, including, but not limited to, the City of Gresham, Oregon and the City of Yonkers, New York.
Gholinejad pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud and faces a maximum penalty of 30 years in prison. He is scheduled to be sentenced in August. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
The FBI Charlotte Field Office investigated the case, with substantial assistance from the FBI Baltimore Field Office. The Justice Department extends its thanks to international judicial and law enforcement partners in Bulgaria for providing valuable assistance with the collection of evidence.
Senior Counsels Aarash A. Haghighat and Ryan K. J. Dickey of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U. S. Attorney Bradford DeVoe for the Eastern District of North Carolina are prosecuting the case, with valuable assistance from Trial Attorney Alexandra Cooper-Ponte of the Computer Crime and Intellectual Property Section and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section.
The Justice Department’s Office of International Affairs also provided substantial assistance in the collection of evidence.
Additional details on protecting networks against ransomware are available at StopRansomware. gov.