US targets REvil, DarkSide ransomware with $10M rewards

The U.S. government issued a hefty reward for information on the DarkSide ransomware group, but infosec experts say the move is less about obtaining intelligence and more about spreading paranoia among threat actors.

In a statement last week, the U.S. Department of State offered up to $10 million for information on key leaders of the group responsible for the attack on the Colonial Pipeline Company six months ago. The State Department also offered up to $5 million for leading to the arrest and/or conviction of on any DarkSide affiliates. The ransomware as a service (RaaS) group has built a reputation for targeting critical infrastructure and employing double extortion techniques.

In a separate announcement on Monday, the State Department offered another reward of up to $10 million for information on primary members of the REvil ransomware variant, also known as Sodinokibi. REvil was responsible for several high-profile attacks, including the supply chain hack against Kaseya in July. The rewards offer is just one of the latest measures taken by law enforcement, which has enhanced its efforts to disrupt operations.

While it is unclear if it will lead to arrests, it may be successful in building distrust among the ransomware hive.

Snir Ben Shimol, executive director at threat detection vendor Varonis, attributed the reward as the government's attempt to scale up its operation to match threat actors, who he said are making more than $300 million a year. Since the DarkSide reward was publicized, Shimol has observed disruption through the dark web chats. He believes it is having a huge impact because of the massive number attached to it.

"This is a serious incentive for other cybercriminals to turn against each other," Shimol said.

Prior to the announcement, dark web chats revealed friction among the groups, particularly REvil and DarkSide. Jon DiMaggio, chief security strategist for threat intelligence vendor Analyst1, said that when DarkSide temporarily went offline following the Colonial Pipeline attack, REvil operators spread word on hacker forums that the group had been shut down and couldn't access their cryptocurrency wallets; that apparently upset DarkSide's leadership, DiMaggio said.

In September, Shimol observed secret chats that highlighted changes around the level of trust needed to work with DarkSide affiliates, as operators became increasingly concerned that some of them could be threat researchers, law enforcement or informants.

DiMaggio also said REvil affiliates have issued a high number of complaints of not being paid for successful attacks, which could have long-term implications.

"It's definitely going to tempt other criminals that know who these guys are to turn them in, especially because REvil screwed so many other criminals out of their money," DiMaggio said.

The timing of the reward, Shimol said, is the government's way to capitalize on the already growing distrust among the ransomware groups.

"I think someone waited for those very serious threat actors -- they're the biggest in the industry right now, together with Conti -- to make this reputation mistake. And then the government saying, 'They're stealing from you; they're operating behind your back and not respecting your agreement. We will respect the agreements, if you're going to take them down,'" Shimol said. "Why not take all the information you know about REvil and just go to the authorities and take that money?"

Shimol also said the rewards could be effective without anyone actually claiming the money.

"A lot of these campaigns come down to psychology and psychological attacks against the trust relationship of the cybercriminals that are running these RaaS business models. They want to turn them against one another, and they want to make this RaaS a very hard task," Shimol said.

Emsisoft threat analyst Brett Callow said ransomware operators would have no issue turning their business partners in, and they all know that. In addition to mistrust and a lack of loyalty, the substantial reward amount, which is more than any cybercriminal bounty DiMaggio has ever seen, is enticing enough.

"They are conscienceless scumbags," Callow said in an email to SearchSecurity. "This will make it harder for them to collaborate and cooperate, and perhaps slow down their operations."

Affiliates of the ransomware gangs, who often work for more than one group, are making 30% off the top, according to DiMaggio. Therefore, while they may be still making decent money, it's nowhere near $10 million. Additionally, DiMaggio believes that right now, there isn't one ransom out there that would give affiliates the ability to make $10 million in one hit.

"I do think that it will, if anything, put pressure and get in these guys' heads to be even more paranoid now," DiMaggio.

While it may extend paranoia and distrust, infosec analysts are wary it will lead to any arrests of DarkSide operators. DiMaggio said rewards and the recent arrests of affiliates made by law enforcement may slow down operations, but it will not step until they arrest key members. "That's just a fact," he said.

Mark Testoni, CEO of SAP National Security Services, agreed that rewards can be part of a tactic of the broader concepts of information sharing and political pressure on countries hosting or encouraging threat actors, but there is no one single act that will stop these attacks.

"Ultimately, we need to make the cost of these activities higher to the perpetrators than the likely rewards," Testoni said in an email to SearchSecurity.