Suspected ransomware affiliate arrested in Canada

A 31-year old Canadian national has been charged in connection to ransomware attacks against organizations in the United States and Canada, a federal indictment unsealed today shows.

Parallel investigations from the Federal Bureau of Investigation and the Ontario Provincial Police (OPP) revealed that Matthew Philbert of Ottawa was involved in various cyberattacks.

Unfinished ransomware attack

Philbert was arrested on November 30, 2021, following an investigation dubbed 'Project CODA' that began in January 2020, when the FBI contacted the OPP about cyber incidents based in Canada.

According to the indictment, between April 2018 through May 2018, Philbert targeted at least ten computers of an organization in the healthcare sector from the District of Alaska.

The defendant did not manage to deploy ransomware on the victim's computers, the indictment shows, which would have affected the “medical examination, diagnosis, treatment and care” of multiple individuals.

“On or about April 28, 2018, within the District of Alaska and elsewhere, the defendant, MATTHEW PHILBERT,  knowingly caused and attempted to cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused and attempted to cause damage without authorization to a protected computer owned by the State of Alaska, and the offense caused and would, if completed, have caused: (a) the modification, impairment, and potential modification and impairment of the medical examination, diagnosis, treatment and care of 1 or more individuals; (b) a threat to public health and safety; and, (c) damage affecting 10 or more
protected computers during a 1-year period.”

Looking for reports of cyberattacks hitting healthcare-related organizations in the timeframe given in the indictment and found a breach notification from the state's Department of Health and Social Services.

The intrusion, pinned to April 26, resulted in the disclosure of personal information belonging to more than 500 people. Typically, ransomware is deployed in the last stage of an attack after the intruders determined what computers to encrypt.

Despite the matching details, BleepingComputer could not determine if the failed ransomware attack in Philbert's indictment is the same as the one in the breach notification from the Alaska Department of Health and Social Services.

Even if Philbert's indictment in the U.S. mentioned failed ransomware attacks, the investigation from the Ontario Provicial Police determined that the defendant deployed "numerous ransomware attacks" that impacted private businesses and government agencies in Canada.

In the U.S., Philbert is charged with one count of conspiracy to commit fraud and related activity in connection with computers and one count of fraud and related activity in connection with computers.

In Canada, the defendant faces charges for possession of a device to obtain unauthorized use of a computer system or to commit mischief, fraud, and unauthorized use of a computer.

On Philbert’s arrest, the police in Canada seized desktop and laptop computers, a tablet, multiple storage devices, mobile phones, the seed phrase for a Bitcoin wallet, and blank cards with magnetic strips.

During its investigation, the OPP received the assistance of the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit (NC3) and Europol, which suggests that Philbert may have been involved in ransomware attacks outside the U.S. and Canada.

Related Articles:

Suspect behind Snowflake data-theft attacks arrested in Canada

Police arrest four suspects linked to LockBit ransomware gang

AutoCanada says ransomware attack "may" impact employee data

FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023

Attacks on Citrix NetScaler systems linked to ransomware actor