The dramatic takedown of the REvil ransomware gang in January by Russia’s Federal Security Service was a relief to businesses and organizations internationally.
But less known, until Wednesday, was the critical role that the Calgary Police Service played in putting a stop to REvil’s cybercrime spree. Police revealed the extent of their participation during the April Police Commission Meeting.
CPS was the only municipal police force asked to assist an international task force for Operation GoldDust.
“We’re very lucky to have some very skilled members of our team who were able to be considered subject matter experts in Canadian law enforcement on ransomware,” said Sgt. Danny Leong with the service’s cyber crime unit.
Cyber crimes officers attended meetings at Europol that included law enforcement from 17 countries, along with private industry support from MacAffee and Bitdefender.
“Coming together we were able to pool our resources and our skill sets to resolve this organization,” said Sgt. Leong.
REvil was estimated to have taken in between $80 to $100 million since 2019. Suspects were arrested in Russia, South Korea, and Kuwait.
Cyber crimes remain under reported in Canada
The cyber crimes unit has existed for 11 years at CPS.
The Calgary Police Service was also the only Canadian police agency invited to train at the Hague to learn how to track cryptocurrencies. That skillset was said to be essential to investigating REvil, but also on current ongoing investigations.
“But compared to other agencies, because we’ve had the support of exec., we’ve been able to really develop our members and our teams and our skill sets,” said Leong.
Police said that the number of ransomware attacks in Canada have been largely under-reported.
The task force was able to identify 35 attacks against organizations like JBS meatpacking from REvil, but estimated that there were more than 600.
“It’s an extremely difficult offense to measure, as the vast majority of our victims don’t report,” said Sgt. Leong.
Service aims to help companies report ransomware attacks
He said that the first response by organizations targeted by ransomware was to get their operations back to normal. On the advice of corporate legal teams, or incident response plans, for some companies this may mean never reporting to police that an attack has occurred.
“There are a plethora of reasons that are very legitimate as to why somebody wouldn’t report: reputational harm, shareholder sentiment, their legal team may be advising against, insurance policies,” said Sgt. Leong.
“So it’s not that corporations don’t want to report to the police, they have other priorities that are ahead.”
The Calgary Police Service said that it will be meeting with Chief Information Officers to help their companies be more comfortable in reporting these crimes to police.
“So these are the discussions we want to have before the incidents occur, so that we’ve got the contacts and so that they’ve got some comfort in how they can report to us,” Leong said.