City of Gresham, City of Yonkers, New York, City of Greenville and North Carolina: Iranian pleads guilty to ransomware operation that hit Baltimore

Iranian National Pleads Guilty in U.S. Ransomware Scheme Targeting Cities, Causing Millions in Damages

A 37-year-old Iranian national, Sina Gholinejad, pleaded guilty in a North Carolina federal court on Tuesday to charges tied to a ransomware and extortion operation that disrupted city governments and businesses across the U.S. Gholinejad admitted to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, facing up to 30 years in prison. His sentencing is scheduled for August.

Prosecutors revealed that Gholinejad and unidentified coconspirators deployed the RobbinHood ransomware variant to encrypt files on targeted networks, demanding ransom payments in exchange for decryption. Among the victims were the city governments of Greenville, North Carolina (April 2019) and Baltimore (May 2019), as well as other municipalities, including Gresham, Oregon, and Yonkers, New York, along with private entities.

The attack on Baltimore proved particularly costly. Hackers demanded $76,000 in Bitcoin, which city officials refused to pay. The breach resulted in over $19 million in damages, crippling critical services for months, including online processing of property taxes, water bills, and parking citations. Prosecutors noted that the conspirators later used the damage inflicted on Baltimore to intimidate other victims.

The scheme began in January 2019, when attackers infiltrated victim networks, exfiltrating data to private servers under their control. Gholinejad was initially charged in a sealed April 2024 indictment, unsealed during Tuesday’s hearing. While the plea agreement details remain undisclosed, the case highlights the FBI’s efforts to dismantle transnational cybercrime operations.

The investigation involved the FBI’s Charlotte and Baltimore field offices, the Justice Department’s National Security Cyber Section, and the National Security Division, underscoring the severity of ransomware attacks as a threat to public infrastructure. Acting U.S. Attorney Daniel Bubar emphasized that such crimes "are not victimless" but directly harm communities.

Source: https://thedailyrecord.com/2025/05/27/iranian-guilty-plea-baltimore-ransomware-attacks/

City of Gresham cybersecurity rating report: https://www.rankiteo.com/company/city-of-gresham

City of Greenville, South Carolina cybersecurity rating report: https://www.rankiteo.com/company/cityofgreenvillesc

City of Yonkers cybersecurity rating report: https://www.rankiteo.com/company/city-of-yonkers

"id": "CITCITCIT1776690096",
"linkid": "city-of-gresham, cityofgreenvillesc, city-of-yonkers",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Municipal',
                        'location': 'Greenville, North Carolina, USA',
                        'name': 'City of Greenville, North Carolina',
                        'type': 'Government'},
                       {'industry': 'Municipal',
                        'location': 'Baltimore, Maryland, USA',
                        'name': 'City of Baltimore',
                        'type': 'Government'},
                       {'industry': 'Municipal',
                        'location': 'Gresham, Oregon, USA',
                        'name': 'City of Gresham, Oregon',
                        'type': 'Government'},
                       {'industry': 'Municipal',
                        'location': 'Yonkers, New York, USA',
                        'name': 'City of Yonkers, New York',
                        'type': 'Government'},
                       {'type': 'Private entities'}],
 'attack_vector': 'Network infiltration',
 'data_breach': {'data_encryption': 'Yes (files encrypted by ransomware)',
                 'data_exfiltration': 'Yes'},
 'description': 'A 37-year-old Iranian national, Sina Gholinejad, pleaded '
                'guilty to charges tied to a ransomware and extortion '
                'operation that disrupted city governments and businesses '
                'across the U.S. The scheme involved deploying the '
                '*RobbinHood* ransomware variant to encrypt files on targeted '
                'networks and demanding ransom payments in exchange for '
                'decryption.',
 'impact': {'data_compromised': 'Exfiltrated data to private servers',
            'downtime': 'Months (Baltimore)',
            'financial_loss': '$19 million (Baltimore alone)',
            'operational_impact': 'Disrupted city services, halted online '
                                  'processing of payments',
            'systems_affected': 'City government networks, critical services '
                                '(property taxes, water bills, parking '
                                'citations)'},
 'investigation_status': 'Guilty plea entered, sentencing scheduled for August',
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransom_demanded': '$76,000 in Bitcoin (Baltimore)',
                'ransom_paid': 'No (Baltimore refused to pay)',
                'ransomware_strain': 'RobbinHood'},
 'references': [{'source': 'U.S. Department of Justice'}],
 'regulatory_compliance': {'legal_actions': 'Federal charges (computer fraud '
                                            'and abuse, conspiracy to commit '
                                            'wire fraud)'},
 'response': {'law_enforcement_notified': 'Yes'},
 'threat_actor': 'Sina Gholinejad and unidentified coconspirators',
 'title': 'Iranian National Pleads Guilty in U.S. Ransomware Scheme Targeting '
          'Cities, Causing Millions in Damages',
 'type': 'Ransomware'}