In May, a ransomware attack shut down a pipeline carrying 45 percent of the fuel used on the US East Coast. The Colonial Pipeline incident led to panic buying and heightened fears about the threat posed by simple hacks to national infrastructure. Now, the US State Department is offering a bounty of up to $10 million to anyone who can supply the “identity or location” of the leaders of the group responsible — an outfit known as DarkSide.
In addition to the $10 million bounty, the state department is offering a reward of up to $5 million for information leading to the arrest or conviction “of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident.” What exactly that means isn’t clear. Is a “DarkSide variant ransomware incident” one that involves the group’s hacking tools? What if the software has been altered slightly? It seems deliberately ambiguous, allowing the State Department to cast as wide a net as possible.
Fighting ransomware with bounties
The offer is the latest example of the US using monetary rewards to try and fight serious cybercrime. These bounties are offered under the Rewards for Justice (RfJ) program, which was originally established in 1984 to target international terrorism. The US evidently thinks cybercriminals now warrant the same level of attention and, in July, the State Department began offering bounties of up to $10 million through RfJ for information on individuals who participate in “malicious cyber activities against US critical infrastructure.”
(For anyone interested, the State Department has a Tor-based tip line, accessible at he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion. This URL requires the use of a Tor browser and won’t work with ordinary browsers like Chrome or Firefox.)
The ambiguous nature of the State Department’s latest bounty is related to the fluid nature of hacking groups. These outfits can dissolve and reform under different monikers and identities as easily as someone creating a new username, but they often use related methods and software that can be used to trace a common lineage.
DarkSide, for example, ceased all activities after the Colonial Pipeline incident. The group seemed caught off-guard by the magnitude of the attack, and even issued a formal apology for the “social consequences” of what they did. But according to US cybersecurity experts, members of the group may have simply rebranded as an outfit named BlackMatter, which appeared on the scene weeks after DarkSide dropped off the radar, wielding similar weapons and tactics. Presumably, the state department’s bounty will apply to them, too.