An international ransomware sting has led to the arrest of five people suspected in 7,000 ransomware infections worldwide.
Since January 2020, Calgary police, the RCMP National Cybercrime Coordination Unit (NC3) and RCMP Technical Operations have been working with Europol on Operation GoldDust, which targeted the REvil (also known as Sodinokibi) ransomware family.
Ransomware is a type of malicious software used to infect a computer and restricts users’ access to it until a ransom is paid to unlock it.
Police say REvil/Sodinokibi is alleged to have been a ransomware-as-a-service operation, which provided malware to affiliates in exchange for payment. The affiliates would then carry out targeted and indiscriminate attacks to encrypt or steal a victim’s data, and extort money from them in exchange for returning the data.
Get breaking National news
Investigators estimate approximately 600 of the infections occurred in Canada.
As a result of the Canadian investigation, CPS and the NC3 identified additional computer infrastructure and ransomware suspects in several countries in Europe and Asia, as well as infrastructure located in Canada.
The prosecution of the individuals arrested is being led by several European countries and the United States.
“Though these arrests happened thousands of kilometers away, the crimes these suspects committed had a very real impact on citizens in Calgary, and across Canada,” said Insp. Phil Hoetger of CPS Technical Investigations Section.
“This Operation demonstrates the necessity for law enforcement to work together, share information and pool resources in today’s digital era.”
It is estimated that only 5-10% of all cybercrimes and fraud are reported to police. But, investigators say victim reporting is vital, adding that in this case, a Calgary business reported a ransomware attack, leading to a strong Canadian link to European-seized infrastructure and key investigative leads.
The NC3 and Canadian Anti-Fraud Centre (CAFC) are working together to implement a new national cybercrime and fraud reporting system. The new system is currently live in a beta version and is accepting up to 25 reports per day. The system is expected to be fully operational by 2024.
A decryption tool has been made available to any victims of REvil/Sodinokibi ransomware who have been unable to recover their files after an attack. Access to the decryption tool can be obtained from http://www.NoMoreRansom.org.
Comments