Wanted! US offers $10m bounty for ransomware kingpins

Wanted! US offers $10m bounty for ransomware kingpins

The US State Department is offering a massive $10 million reward if you can help bring DarkSide to justice.

The U.S. Department of State announces a reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.

And they aren’t just after the ransomware group members.

The State Department is also offering a reward of up to US $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident. An incentive that seems to be aimed at capturing the affiliates that penetrate victims’ networks with the goal of deploying the ransomware later on.

The Department of State manages two US government programs that offer rewards of up to $25 million for information leading to the arrest and/or conviction of members of significant transnational criminal organizations and the disruption of other forms of transnational organized crime. 


DarkSide is thought to have originated in the Russian Federation and/or Ukraine, and was first observed in the wild in August 2020 and is thought to be a product of the FIN7 group.

DarkSide has targeted many organizations in almost every vertical in the Middle East, Europe, and the United States, but it is most notorious for its role in the attack on the Colonial Pipeline. The attack in May 2021 triggered a shutdown of the largest fuel pipeline on US east coast, which sparked a new urgency in the US government’s determination to tackle ransomware.

DarkSide ransomware was sold using the Ransomware-as-a-Service (RaaS) distribution model, so attacks were carried out by affiliates. Like many other modern ransomware families, DarkSide was mostly manually-operated. This means that the ransomware was executed by an actual person behind the screen, after they had successfully infiltrated a target network. Such attacks focus on extracting enormous ransoms from a relatively small number of victims, rather on extracting small ransoms from large numbers of victims, as was more common in the past.

Threat actors can spend weeks or even months inside victims’ networks before running the ransomware; moving laterally, scouring the entire network, elevating their privileges, deleting backups, and leaving backdoors in vulnerable systems. When an attacker has administrator credentials, and access to business-critical systems, they deploy DarkSide.

The DarkSide ransomware group called it quits after some of its servers and Bitcoin accounts were seized, and its DarkSide Leaks blog was shut down. This was believed to be the work of either the US government, local law enforcement, or other gangs looking to profit from DarkSide’s downfall.

Soon after, a new ransomware group who called themselves BlackMatter surfaced on the dark web, which was generally seen as the latest flavor in a long lineage of RaaS providers. Recently, the BlackMatter ransomware gang announced they are going to shut down their operation, citing pressure from local authorities.

Motives for the reward

One question that immediately popped into my head, is why they would offer such a reward for members of an organization that, officially, no longer exists?

Officially, the press statement tells us that in offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals. On top of that, it mentions the Colonial Pipeline incident as a prime example for how disruptive these ransomware attacks are.

But, given the timing and the unlikelihood of ever apprehending one of the key players, it stands to reason to speculate about possible other motives. One way to disrupt the ransomware industry might be to feed the growing distrust between groups and their affiliates.

With the recent announcement that BlackMatter is about to shut down its operation, and many security professionals expecting it to re-surface under yet another new name, you can imagine that having a price of $10 million dollars on your head might slow you down a bit. Not just because it becomes harder to trust new partners, but also because it might scare potential new partners away.

By creating unrest and spreading disinformation among ransomware groups and their affiliates, the US government can hope to slow down operations. And by going after the key players of the group and their affiliates, they may instigate some caution in the operators at the moment when they pick a target.

The size of the reward is perhaps a counterweight to the enormous ransoms feeding the ransomware epidemic. The ransomware model is so profitable that smaller rewards may not be enough to attract an insider willing to snitch.

Should you manage to cash in that reward, don’t forget where you read about it first.

Stay safe, everyone!