The U.S. Department of State is offering up to $10,000,000 for information leading to identifying or locating any individual(s) who hold a key leadership position in the DarkSide ransomware crime group. The Department is also offering a reward of up to $5,000,000 for information leading to the arrest and conviction in any country of any individual conspiring or attempting to participate in a DarkSide attack.

The reward is being offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), which is managed in close coordination with federal law enforcement partners as part of a whole government effort to disrupt and dismantle transnational organized crime globally. According to the Department, more than 75 international criminals and major narcotics traffickers have been brought to justice under the TOCRP and the Narcotics Rewards Program (NRP) since 1986. The Department has paid more than $135 million in rewards to date.

The DarkSide ransomware group, which operates as a ransomware-as-a-service, was behind the May 2021 Colonial Pipeline Company ransomware incident, which led to the company’s decision to proactively and temporarily shut down the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast of the United States.

The group is also responsible for the theft of more than 100 GB of corporate data. On May 12, the group announced three more victims — a construction company based in Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the U.S. The threat actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.  

With the rewards, the U.S. government hopes to protect ransomware victims worldwide from exploitation by cybercriminals. “The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware,” the State Department said.

This announcement is extremely noteworthy, says Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based digital risk protection solutions provider.

“While there was a similar announcement in July 2021 from the State Department for a $10M reward in the fight against nation-state activity, this is the first to target an actor explicitly. For reference, the reward for information leading to the capture of Osama bin Laden was $25M, so it does illustrate how important this information might be, especially since the incentive is enough that it potentially turns friends into foes,” Nikkel says. “It will be interesting to see if further bounties are offered for other notorious ransomware actors or not, based on the success (or failure) of this initiative. This all comes on the heels of continuing moves by the Biden administration to bolster its fight against ransomware, especially when considered with recent sanctions, the creation of task forces and new agencies, and other recent talking points.”

With rewards this large, there’s a substantial incentive for these criminals to turn on one another, says Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response. “Perhaps more importantly than the specific impacts to DarkSide, this action undermines trust across the ransomware as a service affiliate model. This is especially good timing since it capitalizes on the recent REvil infiltration by law enforcement. The law enforcement action against REvil in July already caused significant trust issues among operators. This drives that wedge deeper and will extend far beyond DarkSide (rebranded to BlackMatter and supposedly shut down this week).” 

For more information on the ransomware variant listed above and the TOCRP and NRP, please see the Department of State INL AntiCrime Rewards Program.