Feds Post $10 Million Reward for DarkSide Ransomware ActorsRewards for Identifying Ransomware Gang Members Targeting Critical Infrastructure
The U.S. State Department is offering rewards of up to $10 million for information that leads to the identification or location of members of the DarkSide ransomware gang and others who attack critical infrastructure.
The ransomware attack on May 7 against Colonial Pipeline Co. involved the DarkSide ransomware. Although the ransomware didn't directly affect the pipeline, the company voluntarily took the 5,500-mile pipeline offline as a safety precaution, causing fuel shortages. The incident and others this year pushed ransomware to the top of the U.S. national security agenda (see: Colonial Pipeline: Attack Exposed Personal Data).
#Breaking: The @StateDept is offering rewards of up to $10 million for information that leads to the identification, arrest, or conviction of leaders of (or participants in) the DarkSide ransomware transnational organized crime group. https://t.co/6WrtKHb8vS pic.twitter.com/jr6qIeDLL7— FBI (@FBI) November 4, 2021
The Department of State is offering a second reward of up to $5 million for information that leads to the arrest or conviction of anyone in any country who wants to participate or did participate in a DarkSide ransomware incident, according to a news release.
The reward money comes from the State Department's Transnational Organized Crime Rewards Program, or TOCRP.
There's a more expansive description of the new rewards on the State Department's Rewards for Justice website, which is generally focused on stopping terrorism.
In that version, the $10 million reward could be awarded to anyone who divulges information about people who participate "in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)."
The State Department says that relocation is possible for informants as well as reward payments made in cryptocurrency. The department has also set up a tip channel using SecureDrop on Tor, and that address is here.
Release the Hounds
The U.S. government has expressed increasing frustration and concern over ransomware, which is causing economic damage and threatening critical infrastructure. Much of that ire has been directed at Russia, which the U.S. contends harbors ransomware gangs.
Colonial Pipeline's Co. pipeline was shut down for around six days after an affiliate of the DarkSide ransomware gang attacked its systems. Ransomware affiliates use malware created by a ransomware gang and pay the gang a slice of the ransoms gained.
The company's pipeline, which runs from Texas to New York, supplies some 45% of the fuel for the eastern U.S. The company paid a $4.4 million ransom to gain the decryption key. But after restoration from the key proved to be too slow, the company instead restored systems via backups.
The FBI then recovered $2.3 million paid to the attackers.
The U.S. and other countries, including Australia, have signaled they plan to use offensive cyber capabilities to disrupt ransomware gangs, an action jokingly referred to as "releasing the hounds."
On Thursday, Deputy Attorney General Lisa Monaco said the public will see in the coming days and weeks more arrests, more seizures of ransomware payments and law enforcement operations, according to The Associated Press.
Monaco told the AP in an interview: "We are not going to stop. We’re going to continue to press forward to hold accountable those who seek to go after our industries, to hold our data hostage and threaten national security, economic security and personal security."
Similarly, Mike Pezzullo, secretary of the Department of Home Affairs in Australia, said the Australian Signals Directorate is using its offensive capabilities against ransomware gangs every night, according to the publication InnovationAus.
REvil Gets Pwned
The aggressive statements come as The Washington Post reports that offensive actions by U.S. Cyber Command and a foreign government triggered one ransomware group to ostensibly call it quits.
The Post reports that the unnamed foreign government had hacked servers belonging to REvil, which targeted the software company Kaseya and the world's largest meat producer, JBS, earlier this year.
Cyber Command launched a distortion operation against REvil last month, as I called to do in my NYT oped over 6 weeks agohttps://t.co/XYHejWzktS— Dmitri Alperovitch (@DAlperovitch) November 3, 2021
REvil, believed to be based in Russia, discovered that it was compromised after Cyber Command apparently employed a denial-of-service attack to block the website it used to extort victims, the Post reports.
One REvil threat actor, who goes by the nickname 0_neday, wrote on a forum that some of its domains had been hijacked and a server was compromised. REvil then apparently called it quits.
A key lesson from that revelation is that ransomware actors do fear discovery and arrest, which could influence their behavior, says Dmitri Alperovitch, the former CTO of security firm CrowdStrike.
"The fascinating thing here is that this might be the first time where we have visibility into real-time commentary from the adversary that is being impacted by an offensive cyber operation, giving us some view into what works and doesn’t against them," Alperovitch tweeted.