The RCMP and Calgary police played a role in the investigation leading to the arrest last week in Romania of two people believed to be connected to the Sodinokibi/REvil ransomware operation, joining others arrested earlier this year.
The announcement was the second important strike against those involved in REvil this week. On Monday the U.S. unsealed charges against two people who allegedly deployed the Sodinokibi/REvil ransomware to attack businesses and government entities in the United States.
The two Canadian law enforcement agencies said Monday that the five arrested are suspected of being responsible for 7,000 ransomware infections worldwide, estimating that approximately 600 of them occurred in Canada.
“Though these arrests happened thousands of kilometers away, the crimes these suspects committed had a very real impact on citizens in Calgary, and across Canada,” said Inspector Phil Hoetger of the Calgary Police Service’s technical investigations section. “This operation demonstrates the necessity for law enforcement to work together, share information and pool resources in today’s digital era.”
“No organization can fight cybercrime alone,” said Chris Lynam, director-general of the RCMP’s National Cybercrime Co-ordination Unity (NC3) and Canadian Anti-Fraud Centre. “The NC3 was created to help bring law enforcement and the public and private sectors together to collaborate in combating cybercrime. People and organizations can help too by learning how to protect yourself and reporting it to local police. There is no shame in falling victim. Police are here to help and your reports can assist in taking down criminals, their networks and their assets.”
The NC3 and Calgary’s police cybercrime team led the Canadian part of Europol’s Operation GoldDust, a 17-nation investigation that targeted the REvil/Sodinokibi ransomware family. The Canadian agencies have been working on the operation since January, 2020.
Here’s how the arrests break down:
–Europol said that on November 4th, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments;
–Also earlier this year South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims;
–On November 4th, Kuwaiti authorities arrested another GandGrab affiliate.
This means a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total.
The RCMP said ransomware is rising in Canada. From April 1, 2020 until end of September 2021, the NC3 has received 2,375 requests for operational assistance from domestic and international law enforcement partners, and since the beginning of this fiscal year (April 1), half of those requests have involved ransomware.