Skip links

Reward! Uncle Sam promises $10m for info about DarkSide ransomware gang chiefs

US authorities are dangling a $10m reward for information on the DarkSide gang, while Interpol says half a dozen people were arrested in Ukraine on suspicion of being part of the Cl0p extortionist crew.

The US bounty was offered last night by the foreign ministry, which said in a statement it wants information about “any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.”

DarkSide was the criminal crew involved in the US Colonial Pipeline hack, where a vital oil conduit feeding America’s eastern coast was out of action for weeks following a ransomware attack. The company bought off the crooks to regain access to its billing software; the attack didn’t compromise operational technology (OT) used to control the pipeline itself.

In a none-too-subtle pop at Vladimir Putin’s Russia, the US State Department added: “The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.”

There is also a $5m reward for anyone giving information that leads to “the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident.”

A member of Blackmatter (aka Darkside) said yesterday the ransomware crew has pulled down the shutters due to “certain unsolvable circumstances associated with pressure from the authorities”.

Most suspect this is not the last we’ll see of the crew.

Clippety Cl0p

In further ransomware-gang-pwning news, today Interpol declared that Ukrainian and South Korean police forces were aided by the infosec industry when they arrested half a dozen people on suspicion of being part of the Cl0p ransomware gang.

The 30-month “transcontinental investigation”, named Operation Cyclone by Interpol, is said to have led to Interpol Red Notices (international please-arrest-this-suspect notes) being issued, resulting in June’s arrests. Cl0p’s publicly visible activity declined after the arrests.

“Despite spiralling global ransomware attacks, this police-private sector coalition saw one of global law enforcement’s first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly,” said Interpol’s cybercrime director Craig Jones.

The infosec companies who gave the investigating authorities a hand were named by Europol today as Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB, as well as Korea’s S2W Lab and KFSI.

The partnership flowed from Interpol’s Gateway project, which the organisation’s Secretary General, Jürgen Stock, previously compared to multinational law enforcement projects designed to take down “trafficking or mafia groups”.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” added Secretary General Stock, speaking in July. ®