The City of Baltimore fell victim to a RobbinHood ransomware attack in May 2019, orchestrated by Iranian national Sina Gholinejad and his co-conspirators. The attack crippled municipal operations by forcing hundreds of computers offline, halting essential government functions for months. While Baltimore refused to pay the $76,000 ransom, the incident inflicted $19 million in damages, disrupting revenue-generating services like property transactions, utility billing, and public safety systems. The hackers leveraged the Baltimore attack as a psychological extortion tactic, threatening other U.S. cities with similar consequences if they resisted ransom demands. Critical services including emergency response coordination, tax processing, and public records access remained impaired for an extended period, demonstrating the attack’s destructive scale and its long-term operational paralysis on a major U.S. city. The case underscored the vulnerability of public infrastructure to state-affiliated cybercriminals and the cascading financial and societal costs of ransomware on governance.
Source: https://therecord.media/iranian-years-decades-guilty-ransomware
TPRM report: https://www.rankiteo.com/company/city-of-baltimore
"id": "cit0263302112825",
"linkid": "city-of-baltimore",
"type": "Ransomware",
"date": "5/2019",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'public administration',
'location': 'Baltimore, Maryland, USA',
'name': 'City of Baltimore',
'type': 'municipal government'},
{'industry': 'public administration',
'location': 'Greenville, North Carolina, USA',
'name': 'City of Greenville',
'type': 'municipal government'},
{'industry': 'public administration',
'location': 'Gresham, Oregon, USA',
'name': 'City of Gresham',
'type': 'municipal government'},
{'industry': 'public administration',
'location': 'Yonkers, New York, USA',
'name': 'City of Yonkers',
'type': 'municipal government'},
{'location': 'USA',
'name': 'Unnamed U.S. healthcare organizations and '
'businesses',
'type': ['healthcare', 'private sector']}],
'attack_vector': ['malware deployment (Robbinhood ransomware)',
'network intrusion'],
'data_breach': {'data_encryption': ['files encrypted by Robbinhood '
'ransomware']},
'date_detected': '2019-05',
'description': 'Iranian national Sina Gholinejad, 37, pleaded guilty to '
'deploying the Robbinhood ransomware variant against multiple '
'U.S. cities, including Baltimore (May 2019), Greenville (NC), '
'Gresham (OR), and Yonkers (NY). The attacks caused tens of '
'millions in losses, disrupted essential public services, and '
'extorted Bitcoin ransoms. Baltimore refused to pay the '
'$76,000 ransom, resulting in $19 million in damages and '
'months of service disruptions. Gholinejad was detained in '
'January 2024 and faces up to 30 years in prison.',
'impact': {'brand_reputation_impact': ['loss of public trust in municipal '
'cybersecurity'],
'downtime': 'months (Baltimore)',
'financial_loss': '$19 million (Baltimore alone), tens of millions '
'(total across victims)',
'legal_liabilities': ['criminal charges (computer fraud, wire '
'fraud conspiracy)'],
'operational_impact': ['disruption of essential public services',
'revenue-generating municipal functions '
'halted'],
'revenue_loss': '$19 million (Baltimore)',
'systems_affected': ['hundreds of computers (Baltimore)',
'municipal IT infrastructure']},
'initial_access_broker': {'high_value_targets': ['municipal governments',
'healthcare organizations',
'businesses']},
'investigation_status': 'ongoing (sentencing scheduled for August 2024)',
'motivation': ['financial gain (Bitcoin ransoms)',
'disruption of U.S. public services'],
'ransomware': {'data_encryption': True,
'ransom_demanded': '$76,000 (Baltimore, unpaid)',
'ransom_paid': 'No (Baltimore refused)',
'ransomware_strain': 'Robbinhood'},
'references': [{'source': 'U.S. Department of Justice (DOJ) press release'},
{'source': 'Court documents (Gholinejad case)'}],
'regulatory_compliance': {'legal_actions': ['criminal prosecution (DOJ)',
'guilty plea on computer fraud '
'and wire fraud conspiracy '
'charges']},
'response': {'communication_strategy': ['public statements by DOJ',
'media coverage'],
'containment_measures': ['taking hundreds of computers offline '
'(Baltimore)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Bulgarian law enforcement '
'(investigation support)']},
'threat_actor': {'age': 37,
'co_conspirators': ['overseas accomplices (unnamed)'],
'name': 'Sina Gholinejad',
'nationality': 'Iranian',
'status': 'detained (January 2024), pleaded guilty '
'(2024-06)'},
'title': 'Ransomware Attack on the City of Baltimore and Other U.S. '
'Municipalities by Iranian Hacker Sina Gholinejad',
'type': ['ransomware', 'extortion', 'cybercrime']}