Canadian Ransomware Arrest Is a Meaningful Flex, Experts Say

U.S. and Canada charge Ottawa man for ransomware attacks, signaling that North America is no cybercriminal haven.

Investigations that ran in parallel over nearly two years by Canadian and U.S. law enforcement have led to this week’s arrest of an Ottawa man, who is alleged to have an extensive track record of ransomware attacks on companies, governments and individuals.

The highly-publicized arrest is a message to North American ransomware operators — law enforcement is on the case.

The U.S. charges are focused on a specific attack on a computer owned by the State of Alaska, but Ontario Provincial Police (OPP) Detective Inspector characterized 31-year-old Matthew Philbert as “the most prolific cybercriminal we’ve identified to date,” in an exclusive interview with Krebs on Security.

Infosec Insiders Newsletter

Canadian authorities have charged Philbert with fraud, using a computer to commit mischief and unauthorized use of a computer.

Project CODA

The OPP joined with the FBI for a press conference following the arrest, which is part of a joint cybercrime task force called CODA.

“The FBI alongside our international partners, OPP and RCMP (Royal Canadian Mounted Police), will continue to investigate these malicious cyber-actors who continue to target U.S. and Canadian infrastructure,” Abellera said. “We will hold these criminals responsible for trying to exploit and threaten these industries. We will impose risk and consequence by leveraging all of the tools in our toolbelt especially our partnerships to ensure these perpetrators are brought to justice.”

This is a significant signal to cybercriminals operating in North America, who are rarely held accountable for their crimes, according to John Bambenek, principal threat hunter with Netenrich.

“With so many cybercriminals not facing any consequences, any arrest is a big deal, especially when it is someone operating in North America,” Bambenek told Threatpost. “Given both the level of international cooperation required and obtained, and the scope of this individual’s criminal career, the arrest is welcome news.”

While Canada hasn’t historically been tough on cybercrime, Malwarebytes’ Jerome Segura pointed to the January arrest of a Canadian man living in Florida who the Department of Justice said was behind the Netwalker ransomware attacks; and penalties assessed by the country’s regulatory authority over malicious advertising, or malvertising practices, as signals that the country is starting to crack down.

“While Canada may not always brag or get recognition for its cyber-efforts, government entities and private companies have taken part in significant cases over time,” Segura told Threatpost. “Having said that, ongoing global cooperation and especially cooperation between the U.S. and Canada in the fight against cybercrime is a positive sign that online criminals can and will be prosecuted.”

Enforcement Messaging to Deter Ransomware Attacks

Messaging is an important part of deterring future ransomware attacks, Tim Wade, CTO of Vectra AI told Threatpost.

“Destroying the ransomware supply chain involves disincentivizing participation,” Wade explained. “An extremely effective way to disincentivize participation is to make clear that there are no safe havens, the activities are not overlooked and justice will be served. This development appears to check the box on all three of those fronts.”

Just days ago, Gen. Paul Nakasone, who heads up the U.S. military’s Cyber Command unit, publicly admitted they will go after any ransomware actors who target American companies.

The ratcheting up of enforcement and rhetoric comes amid record-breaking damage being inflicted on businesses. Thanks to easy access to ransomware tools through ransomware-as-a-service providers and how easy organizations make it to break into their systems, the cybercrime business is booming. Group-IB just released a report that found a 935 percent spike in ransomware damage over the past year alone.

Governments Headed in ‘New Direction’

“Where the true significance lies is in the actions being taken — it seems like the U.S., Canada and international governments in general are taking the ransomware threat more seriously,” Jaron Bradley, detections lead at Jamf, said in reaction to the news of the arrest. “Federal law enforcement agencies taking a more aggressive stance in going after the bad guys means we’re heading in a new direction.”

FBI attaché Brian Abellera used the press conference announcing the Philbert arrest as an opportunity to warn other cybercriminals this arrest is just “one of many to come.”

Organized Crime Might Benefit

And while individual private ransomware operators will likely feel the heat of the international cop crackdown, Dane Sherrets warned this could provide an opportunity for organized crime to increase their market share.

“Any action by law enforcement against cybercriminals is a step in the right direction for deterrence — especially when they catch a cybercriminal,” Sherrets told Threatpost. “There’s no doubt we will see more organized criminal groups, like Darkode, proliferating but this arrest is a sign that law enforcement is becoming savvier and more dedicated to identifying cybercriminals.”

Organized crime rings have the benefit of being able to operate anywhere in the world to evade arrest, Sherrets added, meaning there’s still work to be done.

“In order to make a significant impact to eliminate these kinds of organizations we will need a concerted international effort between the security community, governments and organizations,” Sherrets said.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles