Calgary Police Service and RCMP contribute to ransomware arrests and seizures overseas in Operation GoldDust
Today, Europol announced the arrest of five individuals believed to be connected to Operation GoldDust, a Europol-led and internationally-supported investigation into several high-profile ransomware “families”. The individuals arrested are suspected of being responsible for 7,000 ransomware infections worldwide. Canadian investigators estimate approximately 600 infections occurred in Canada.
Ransomware attacks continue to be one of the largest cyber-security threats to individuals and businesses around the globe. Because of the nature of these cybercrimes, investigations into these attacks are often complex and involve offenders, digital evidence and computer infrastructure that are located in multiple jurisdictions.
Since January 2020, the RCMP National Cybercrime Coordination Unit (NC3), RCMP Technical Operations and Calgary Police Service (CPS) Cybercrime Team led the Canadian investigation in Europol’s Operation GoldDust, which targeted the REvil (also known as Sodinokibi) ransomware family.
REvil/Sodinokibi is alleged to have been a ransomware-as-a-service (Raas) operation, which provided malware to affiliates in exchange for payment. The affiliates would then carry out targeted and indiscriminate attacks to encrypt or steal a victim’s data and extort them for money in exchange for returning the data.
As a result of the Canadian investigation, CPS and the NC3 identified additional computer infrastructure and ransomware suspects in several countries in Europe and Asia, as well as infrastructure located in Canada. The prosecution of the individuals arrested is being led by several European countries and the United States.
Policing efforts in the cyber realm are facing unprecedented challenges. However, as cyber criminals evolve, so do law enforcement and partners. Operation GoldDust is another excellent example of the importance of national and international partnerships and collaboration. In this case, Europol and the Joint Cybercrime Action Taskforce (J-CAT) were instrumental in sharing intelligence and coordinating enforcement actions.
Though these arrests happened thousands of kilometers away, the crimes these suspects committed had a very real impact on citizens in Calgary, and across Canada. This Operation demonstrates the necessity for law enforcement to work together, share information and pool resources in today’s digital era.
No organization can fight cybercrime alone. The NC3 was created to help bring law enforcement, and the public and private sectors together to collaborate in combatting cybercrime. People and organizations can help too by learning how to protect yourself and reporting it to local police. There is no shame in falling victim. Police are here to help and your reports can assist in taking down criminals, their networks and their assets.
Tips for ransomware attack victims:
A decryption tool has been made available to any victims of the REvil/Sodinokibi ransomware who have been unable to recover their files after an attack. Access to the decryption tool can be obtained from www.NoMoreRansom.org.
Victim reporting is vital to law enforcement. In this case, if a Calgary business had not reported a ransomware attack to CPS, a strong Canadian link to the European seized infrastructure and key investigative leads may not have been possible.
CPS and the RCMP strongly recommend that anyone who has been a victim of a ransomware attack or cybercrime, to contact their local police immediately. Local police services can document the reported cybercrime, begin the investigation process and engage provincial or national policing resources if and as required, such as the NC3. It is also recommended, whether you are a victim or not, that the incident is reported to the Canadian Anti-Fraud Centre (CAFC) via their online reporting system or, by phone, at 1-888-495-8501.
Finally, the RCMP and CPS do not recommend paying the ransom in response to a ransomware attack. Paying a ransom does not guarantee that victim data will be unencrypted or that data will not be leaked by ransomware operators. Ransomware payments also directly fund and support criminal activity, encourage perpetrators to target more victims, and offer an incentive for others to get involved in this illegal activity.
- Cybercrime continues to be the cyber threat that is most likely to affect Canadians and Canadian organizations.
- It is estimated that only 5-10% of all cybercrimes and fraud are reported to police.
- The RCMP continues to see an increase in ransomware in Canada. From April 1, 2020 until end of September 2021, the RCMP’s National Cybercrime Coordination Unit (NC3) has received a total of 2,375 request for operational assistance from domestic and international law enforcement partners. Since the beginning of this fiscal year, approximately 50% of NC3 requests have involved ransomware.
- Since 2016, CPS has investigated 100 reports of ransomware attacks in Calgary.
- The NC3 and Canadian Anti-Fraud Centre (CAFC) are working together to implement a new national cybercrime and fraud reporting system. The new system is currently live in a beta version and is accepting up to 25 reports per day. The system is expected to be fully operational by 2024.