U.S. State Department Puts $10 Million Bounty on DarkSide Ransomware Group

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The United States government is putting a $10 million bounty on the leaders of the DarkSide cybercriminal organization, the ransomware group behind the attack earlier this year on Colonial Pipeline that caused major gas shortages and long lines at filling stations in the Southeast.

The reward, announced this week by the State Department, is the latest move by the Biden administration to push back against ransomware and other cyberthreats, particularly those aimed at U.S. companies and critical infrastructure.

It also came a day after BlackMatter – the Russia-based ransomware group that either rose to prominence in the wake of the DarkSide gang shutting down or was a rebranded version of DarkSide – announced it, too, was closing operations, reportedly due to pressure from authorities.

In a statement, State Department officials said the government was offering up to $10 million for information that leads to the identification or location of leaders of DarkSide and up to $5 million for information that leads to the arrest and conviction in any country of anyone who participated and tried to participate in an attack involving the DarkSide variant.

They noted that DarkSide was behind the Colonial Pipeline ransomware attack in May, which caused the company to shut down a 5,500-mile pipeline that carries 45 percent of the fuel used on the East Coast. The bounties are being offered through the State Department’s Transnational Organized Crime Rewards Program (TOCRP).

Cybersecurity experts applauded the move. Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, called it a “smart and effective strategy to curb surging cybercrime.” Kolochenko noted that 90 percent of cybercrimes remain unsolved because of underfunded law enforcement agencies, legal technicalities and the ability for bad actors to remain anonymous.

“Nonetheless, cybercriminals are all humans,” he told eSecurity Planet. “They are prone to the same human weaknesses as everybody else. They may accidentally disclose their illicit activities to friends or boast about hacking to their [girlfriends] or boyfriends. Finally, rival hacking groups may know each other in person and perfidiously report their competitors to earn money and increase their market monopoly. Therefore, starting a ‘bug bounty’ to unmask cybercriminals is a great and long-awaited idea that will likely bring fruitful results.”

Also read: Best Ransomware Removal and Recovery Services

Experts Support Cybercriminal Bounties

Danny Lopez, CEO of cybersecurity firm Glasswall, told eSecurity Planet that a “financial incentive from government entities could be a crucial step in combating the wave of ransomware attacks from DarkSide and related groups. Bounties encourage collaboration and intelligence sharing, which increases jeopardy for the attacker and may cause them to think again.”

This move and previous efforts by the Biden administration, including executive orders designed to shore up the country’s cyber defenses, “show that federal cyber leaders are pushing for a more secure future for the U.S.”

there’s a substantial incentive for these criminals to turn on one another

Jake Williams, co-founder and CTO at incident response solutions vendor BreachQuest, said ransomware operators have embraced an affiliate operational model, so the number of people involved has increased.

“With rewards this large, there’s a substantial incentive for these criminals to turn on one another,” Williams said. “Perhaps more importantly than the specific impacts to DarkSide, this action undermines trust across the ransomware as a service affiliate model. This is especially good timing since it capitalizes on the recent … infiltration by law enforcement [of the REvil ransomware operation]. The law enforcement action against REvil in July already caused significant trust issues among operators. This drives that wedge deeper and will extend far beyond DarkSide.”

And bounties work, Sean Nikkel, senior cyber threat intel analyst at cybersecurity firm Digital Shadows, told eSecurity Planet. He pointed to the $25 million bounty that was put on Osama Bin Laden after the 9/11 attacks, saying that “it does illustrate how important this information might be, especially since the incentive is enough that it potentially turns friends into foes.”

“It will be interesting to see if further bounties are offered for other notorious ransomware actors or not, based on the success or failure of this initiative,” Nikkel said. “This all comes on the heels of continuing moves by the Biden administration to bolster its fight against ransomware, especially when considered with recent sanctions, the creation of task forces and new agencies, and other recent talking points.”

Also read: How to Recover From a Ransomware Attack

Ransomware Risks Growing

Ransomware over the past several years has become a top cybersecurity threat. A report in September from cybersecurity vendor Fortinet found that two-thirds of organizations have been the target of at least one ransomware attack and 85 percent are more concerned about ransomware than any other cyberthreat. Ransomware now accounts for 69% of all malware, according to Positive Technologies, a jump of 30 points in a year.

Just this week, Cisco Systems’ Talos threat intelligence group said cybercriminals are using a ProxyShell vulnerability to deploy the Babuk ransomware by hacking Microsoft Exchange servers to access corporate networks.

Ransomware risks
Ransomware risks (source: Fortinet)

Ransomware attacks are costly. Cybersecurity company Sophos in April reported that the average total cost of recovery from a ransomware attack grew from $761,106 in 2020 to $1.85 million this year, with the average ransom paid hitting $170,404. ThycoticCentrify found in a recent survey that 83 percent of victims pay the ransom.

Netenrich, another cybersecurity company, found that 83 percent of companies said their businesses would be damaged during the first 24 hours of an outage caused by ransomware or other attacks.

Ransomware groups also continue to evolve and refine their operations. That has included offering their malware to others in a ransomware-as-a-service (RaaS) model and threatening to not only keep a victim’s captured data encrypted but also to leak the data onto the dark web if the ransom isn’t paid.

Some, like DarkSide, also have turned their focus to critical infrastructure companies, like Colonial Pipeline and JBS, a global meat supplier. Steve Moore, chief security strategist with cybersecurity vendor Exabeam, told eSecurity Planet that bad actors see a way of hurting both critical and financial operations, such as threatening to release data during sensitive merger negotiations and other insider info.

“I believe that the Biden administration calls out DarkSide specifically due to their desire to manipulate the victim’s stock price and the additional stress it could represent on financial markets,” Moore said. “In April … they bragged about having access to companies who trade on the NASDAQ and other exchanges. If payment isn’t received, they [threaten to] release information before their earnings statements are made, allowing those ‘in the know’ to profit by shorting the stock.”

Also read: Best Backup Solutions for Ransomware Protection

Will Government Ransomware Efforts Work?

The Biden administration this year has urged U.S. companies to take ransomware seriously and to shore up their defenses. It also has issued executive orders aimed at improving the nation’s cybersecurity posture and worked with the IT industry to address the ongoing threat. In addition, the U.S. government is trying to put pressure on Russia and other countries that are known to allow cybercriminal gangs to operate within their borders. Russia is accused of harboring a number of the high-profile malware groups, including DarkSide, REvil, BlackMatter and APT 29 – also known as Cozy Bear and Nobelium. APT 29 is suspected of being associated with Russian government intelligence agencies.

John Bambenek, principal threat hunter at Netenrich, told eSecurity Planet he was skeptical the State Department’s $10 million offers will result in arrests.

“Handing out rewards for ransomware operators is a novel technique to try to increase pressure to bring these criminals to justice,” Bambenek said. “However, absent a bounty hunter willing to travel to their jurisdiction, put their unconscious body in a bag and dumping it at the nearest US embassy, I doubt this will have much of an impact. To be fair, it certainly won’t hurt either. I just don’t expect to see any press conference with the Secretary of State handing out a large, cardboard $10 million dollar check, any time soon.”

See next: Best Ransomware Removal Tools

Jeff Burt Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required