US offers $10 million reward for information on DarkSide leaders, $5 million for affiliates

The State Department has put a bounty on the heads of the leaders of the DarkSide/BlackMatter ransomware.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

The US State Department is continuing its offensive against ransomware groups, announcing an up to $10 million reward for any information "leading to the identification or location of any individuals holding key leadership positions in the DarkSide ransomware variant transnational organized crime group."

State Department spokesman Ned Price added that there is a $5 million reward "for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident."

"The DarkSide ransomware group was responsible for the Colonial Pipeline Company ransomware incident in May 2021, which led to the company's decision to proactively and temporarily shut down the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast of the United States," Price said. 

"In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware." 

The financial rewards are part of the Transnational Organized Crime Rewards Program, and the State Department noted that it had paid $135 million in rewards since it was created in 1986. 

The news of the rewards comes just one day after the cybercriminals behind the BlackMatter ransomware -- a rebranded version of DarkSide -- said they were closing shop due to increased pressure from law enforcement. 

In messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group said that due to "certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- project is closed."

"After 48 hours, the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this, write 'give a decryptor' inside the company chat, where necessary. We wish you all success; we were glad to work," the group said in messages on its website. 

The message did not explain what "news" caused the closure, but the last two weeks have featured dozens of stories and incidents that reflect an increasingly precarious environment for the group. 

The group attacked multiple agricultural companies after rebranding under the BlackMatter name, but cybersecurity company Emsisoft created a decryptor that was able to help many victims of the ransomware. 

US Cyber Command and a foreign government conducted a successful disruption operation on the REvil ransomware group while officers from Europol arrested the Ukrainian group behind the MegaCortex, Dharma and LockerGoga ransomware last week. 

Emsisoft threat analyst Brett Callow wondered whether the former Darkside/BlackMatter affiliates who reportedly lost millions due to the gang's ineptitude would be tempted by the rewards offered by the State Department.

"Given the right motivation, cybercriminals would happily throw each other under the bus -- and they all know that. And cash is absolutely the right motivation," Callow said. 

"The reward will create even more distrust in the criminal underworld, and that will make it harder for the gangs to operate. This is a very smart move from the US."