A string of major ransomware gangs have been broken apart in recent years by going a little too far with their antics. The Clop ransomware group may well be the next entry on that list, as the US Department of State has authorized a $10 million bounty on information about the group under its “Reward for Justice” program.
The Clop ransomware group is in the crosshairs due to a recent string of attacks that has, thus far, not actually involved ransomware. The group has exploited a major vulnerability in a popular file transfer system to breach a broad range of targets, including major corporations and government agencies. The group has thus far not opted to deploy its ransomware in this campaign, however, simply exfiltrating sensitive data and threatening to leak it if not paid.
Bounty offered on information linking Clop ransomware to foreign governments
There is one unusual catch with the Reward for Justice bounty. Rather than being for information that identifies group members or leads to seizure of servers, the Department of State wants any information that might link Clop ransomware to a foreign government.
The Clop ransomware group is thought to be based in Russia, and it seems unlikely that the Department of State would believe it has direct involvement with the government. The Reward for Justice bounty is more likely meant as a warning to Clop to not sell stolen data to foreign governments, and to think twice about leaking anything sensitive that it may have acquired from federal agencies.
The federal government has confirmed that “several” of its agencies were caught up in the recent Clop ransomware campaign: the Department of Energy, the Department of Agriculture and the Office of Personnel Management among them. Very little in the way of detail has been provided about what was taken from each, but the Department of Agriculture told media outlets that its breach may have impacted “a very small amount” of employees.
A number of state government agencies were also hit by the Clop ransomware gang. The worst of the known breaches was at the Louisiana Office of Motor Vehicles, where what appears to be the entire contents of the state’s driver’s license database (including Social Security numbers) was exposed. The Oregon Driver & Motor Vehicle Services agency also reported a similar breach, though has not yet confirmed that Social Security numbers were involved. Other state agencies hit during the Clop ransomware spree include the State of Missouri Office of Administration, the Illinois Department of Innovation & Technology, the Colorado Department of Health Care Policy and Financing, and the Maryland Department of Human Services.
The Clop ransomware gang has previously issued a public statement that it deletes government data of this nature. However, the Department of Energy reported two private ransom notes directed to it. Clop’s approach thus far has been to simply post a general extortion notice on its dark web site, rather than contacting its victims individually.
The Reward for Justice program was established in 1984 as an anti-terrorism measure, but has since expanded to encompass cyber crime. The program has paid out over $200 million in reward money to date. It has previously offered $5 million for information about state-sponsored North Korean hacking activities, and $10 million for tips about general cyber attacks on critical infrastructure. The five key founders of the Conti ransomware gang were also targeted with a $10 million bounty in late 2022, after the group had split up under international law enforcement pressure.
Timothy Morris, Chief Security Advisor at Tanium, notes that the Reward for Justice bounty amount being offered is not unprecedented but is unusual: “CL0P is a serious actor. The number of victims of data thefts of using the MoveIT vulnerability aren’t fully known … Offering a bounty of this size shows how serious the US government is taking this group and their thievery. As with any reward or bounty there are pros and cons. They’re offered because they work. $10M USD is a lot of money. Most affiliates make a percentage of ransoms paid or have fixed incomes for $1-$2K/mo. So, that large of a bounty would be enticing to them. However, offering a bounty could anger the criminal gang and cause more damage. They could escalate their tactics; publishing data and publicly naming and shaming their victims.”
Reward for Justice program seeks to turn off MOVEIt data leak faucet
The Clop ransomware group has listed over a dozen of the breached organizations on its dark web site, directing them to a Tor chat to begin payment negotiations. Many more have disclosed breaches related to the attack campaign at this point but have not yet appeared on the list, including assorted US and Canadian government agencies.
The gang has proven to be crafty; Clop ransomware has survived since at least 2019 in an environment where its major peers have fallen one after the other in shorter amounts of time, likely in no small part because the group knows what lines not to cross. The Reward for Justice payment serves as a reminder of what happened to DarkSide and REvil in the wake of the Colonial Pipeline and JBS attacks, and the internal rifts that led to Conti’s split after some members wanted to openly support Russia’s invasion of Ukraine.
Heath Renfrow, Co-founder of Fenix24, thinks that the government’s strategy is basically a coin flip in terms of potential effectiveness: “The State Department offering a $10M bounty is a shot in the dark. On the plus side, it sends a message to the CLOP actors that they are targeted, reducing their activity. On the negative side, it may very well drive them underground, making law enforcement efforts to apprehend them much harder. I think it’s unlikely they will get meaningful information leading to arrest-this is not the first bounty put on cyber criminals, and to my knowledge, none has been paid by the FBI for receiving information leading to arrests. The most likely outcome is that CLOP will dissolve or go underground within the next 60 days due to the high-profile attacks they have carried out in the past six months and the resulting focus they are receiving by law enforcement.”
“For the most part, the cybercriminal element seems to be shying away from hitting critical infrastructure following the Colonial Pipeline ransomware event. However, some groups will remain bold, and know that the payout of the ransom is high when the crippling of critical infrastructure is at stake,” added Renfrow.
If the data from Colorado is leaked, residents that are on Medicaid or that participate in the Child Health Plan Plus could have personal information exposed. The breaches of other state agencies are still being investigated and there is little public information as of yet. Estimating the damage or what might be exposed is difficult as MOVEit, the vulnerable software that Clop exploits, is used for the encrypted transfer of all sorts of different types of files. It is not clear if the Reward for Justice payment would apply to reports of the sale of all of the possible pilfered state government information to foreign governments.