The US State Department is offering up to $10 million in reward for information leading to the identification or location of any individuals holding key leadership positions in the REvil or Sodinokibi ransomware gang.
A similar reward was offered for the DarkSide ransomware group responsible for the Colonial Pipeline ransomware attack disrupting fuel supply on the U.S. East Coast.
Similarly, a $5 million reward is available for any information leading to the arrest and or conviction of affiliates in any country planning to execute REvil ransomware attacks.
REvil ransomware gang carried out multiple attacks in the United States, including Coop, Grupo Fleury, GSMLaw, JBS, Kaseya, Kenneth Cole, and Travelex, cybersecurity incidents.
Several REvil ransomware gang members indicted
The State Department reward scheme coincided with the US Department of Justice (DOJ) unsealing two indictments for the roles that two suspects currently in custody played in REvil ransomware attacks.
Law enforcement agents have detained seven REvil ransomware gang members, including those linked to the Kaseya ransomware attack. Three of the suspects, responsible for over 7,000 attacks, belong to a REvil ransomware gang affiliate, the GandGrab ransomware operators.
“This is [an] especially-good timing since it capitalizes on the recent REvil infiltration by law enforcement,” said Jake Williams, Co-Founder and CTO at BreachQuest.
One Ukrainian national Yaroslav Vasinskyi, 22, is a suspected REvil affiliate behind the Kaseya incident. Vasinskyi was arrested at the Polish border during an operation involving 19 law enforcement agencies across five continents. He faces extradition to the US.
Similarly, a REvil affiliate and Russian national Yevgyeniy Polyanin, 28, was also indicted for allegedly attacking 22 Texas municipalities in 2019.
The DOJ also traced the $6.1 million ransom payment to Polyanin. Reportedly living in Barnaul, Siberia, his activity on Russian hacking forums spans for more than a decade.
Sadly, most arrests involve disposable affiliates and junior ransomware gang members while the kingpins continue to peacefully enjoy the proceeds of cybercrime.
Consequently, law enforcement agencies are determined to detain the key leaders behind the cybercrime network to have perceptible impact.
However, most nation-state actors protect ransomware gangs’ key leaders and leverage their infrastructure and expertise for cyber espionage.
Ransomware gangs rebrand to evade justice
Most ransomware groups have frequently rebranded to evade law enforcement efforts amid increased attention and resources to tackling international cybercrime.
For example, GandGrab rebranded to REvil ransomware gang in 2019, while DarkSide rebranded to BlackMatter. Similarly, BitPaymer renamed itself DoppelPaymer and Nefilim became Karma.
However, the State Department acknowledges the flexibility of ransomware gangs in changing identities. Consequently, the reward applies to all Sodinokibi ransomware variants linked to the international organized crime group.
The State Department noted that the reward demonstrated the commitment of the United States to protect ransomware victims from exploitation.
Notably, the reward is part of the Transnational Organized Crime Rewards Program (TOCRP). The program has played a crucial role in arresting 75 transnational criminals, including drug dealers, handing out over $135 million in rewards.
In comparison, Osama bin Laden’s bounty was just $25 million, highlighting the U.S. government’s increasing attention to ransomware attacks.
The U.S has offered similar bounties in attempts to stop cybercriminals from compromising computer systems and stealing sensitive information.
In July 2021, US authorities offered a $10 million reward on information to identify threat actors controlled by foreign governments. A similar reward in August 2020 sought to identify cyber actors attempting to interfere with US elections. Similarly, the US offered a $5 million reward for information exposing North Korean hackers and their operations.
“It will be interesting to see if further bounties are offered for other notorious ransomware actors or not, based on the success (or failure) of this initiative,” said Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows. “This all comes on the heels of continuing moves by the Biden administration to bolster its fight against ransomware, especially when considered with recent sanctions, the creation of task forces and new agencies, and other recent talking points.”
Likely, some criminals could try to expose others and benefit from the cash reward. Similarly, the bounty program will create suspicion on an already sensitive industry forcing some criminals to reconsider their participation in the cybercrime underground.
“With rewards this large, there’s a substantial incentive for these criminals to turn on one another,” Williams noted. “Perhaps more importantly than the specific impacts to DarkSide, this action undermines trust across the ransomware as a service affiliate model.”
“The law enforcement action against REvil in July already caused significant trust issues among operators. This drives that wedge deeper and will extend far beyond DarkSide (rebranded to BlackMatter and supposedly shut down this week),” he continued.
John Bambenek, Principal Threat Hunter at Netenrich, noted however that the initiative, although novel, could fail for lack of bounty hunters.
“However, absent a bounty hunter willing to travel to their jurisdiction, put their unconscious body in a bag, and dumping it at the nearest US embassy, I doubt this will have much of an impact. To be fair, it certainly won’t hurt either. I just don’t expect to see any press conference with the Secretary of State handing out a large cardboard 10-million-dollar check any time soon.”