Chris Swagler | November 5th, 2021

DarkSide RewardThe US State Department is offering a $10,000,000 reward for information on the identity or location of the DarkSide ransomware group leaders and their rebrands or the arrest of the operation’s members. Additionally, a $5,000,000 reward is being offered for information leading to the arrest and/or conviction of any individual worldwide who conspires or attempts to participate in a DarkSide ransomware attack. Anyone can submit their tips to the FBI at or through WhatsApp, Telegram, and Signal. When the State Department mentions “DarkSide variant ransomware,” the reward applies to DarkSide rebrands including the BlackMatter operation.

Earlier this year, the DarkSide ransomware group was responsible for attacking the Colonial Pipeline, which led to temporarily shutting down the 5,500-mile pipeline. This resulted in gas price increases and fuel shortages along the US East Coast. After feeling the full scrutiny of international law enforcement, Darkside decided to rebrand as BlackMatter. It’s a common practice for groups to rebrand under a different name when ransomware operations are feeling the heat of law enforcement after breaching a highly critical company.

In the past, there have been other ransomware operations that rebranded, including REvil to GranCrab, Maze to Egregor, Bitpaymer to DoppelPaymer to Grief, and Nemty to Nefilim to Karma. However, according to BleepingComputer, after feeling enormous pressure from the authorities and group members disappearing, BlackMatter is shutting down its operation. The bounty the State Department put on DarkSide demonstrates that law enforcement will not stop pursuing ransomware groups even if they switch names.

By offering the reward, the United States government demonstrates its commitment to protecting global ransomware victims from cyber-criminals’ exploitations. Additionally, the United States is looking to nations harboring ransomware criminals to bring justice for companies and organizations impacted by ransomware. The reward is part of the department’s Transnational Organized Crime Rewards Program (TOCRP) that paid out $135 million and brought over 75 criminals to justice since its creation in 1986. A co-founder of a cybersecurity company explained that the reward would hopefully drive a wedge between threat actors. This is especially true after US Cyber Command and a foreign government successfully disrupted the REvil ransomware group operations.

The amount of people ransomware operators must trust has dramatically increased as many operators are adopting an affiliate model for their operations. With these large rewards being offered, there’s a possibility that cybercriminals will begin turning on each other. A threat analyst ponders whether former DarkSide/BlackMatter affiliates, who lost millions because of the group’s insufficiency, might be tempted by the State Department rewards. These rewards can create distrust in the criminal underworld and make it more difficult for groups to operate.

Even with the $10 million reward offered by the US State Department, ransomware groups like DarkSide/BlackMatter will continue to rebrand under different names to evade law enforcement. That’s why it’s crucial for companies to stay current with the latest threat landscape, keep an updated network security posture, and contact the FBI or local law enforcement with information regarding any ransomware groups.

At SpearTip, our certified engineers at our three 24/7 Security Operations Centers will continuously monitor your networks for potential threats like DarkSide/BlackMatter. Being proactive in protecting your company’s network is the most effective route to data security. SpearTip’s ShadowSpear platform, our endpoint detection and response tool, is a great proactive tool for any company because it prevents ransomware like DarkSide/BlackMatter from breaching your data servers.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.