{ "id": "a11beb37-5a41-4c09-b431-cf08db5a08ba", "created_at": "2026-04-06T00:15:44.216Z", "updated_at": "2026-04-10T03:35:52.834388Z", "deleted_at": null, "sha1_hash": "cd74add551e1c569ac66031e565427d6c23077a1", "title": "US offers $10 million reward for info on Darkside ransomware group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88857, "plain_text": "US offers $10 million reward for info on Darkside ransomware\r\ngroup\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-19 · Archived: 2026-04-05 17:21:16 UTC\r\nThe US government has offered today a $10 million reward for any information that may lead to the identification\r\nand/or arrest of members of the Darkside ransomware group.\r\nThe State Department said the reward is eligible for any information on Darkside members with a key leadership\r\nposition inside the group's operations.\r\nTips that lead to the arrest of Darkside affiliates, which might help the group carry out an attack once in a while,\r\ncan also bring in up to $5 million, the State Department said in a press release today.\r\nUS government cites Colonial Pipeline attack as reason\r\nOfficials said they are offering these large rewards because of the group's attack on Colonial Pipeline, one of the\r\nlargest fuel pipeline operators in North America.\r\nCarried out in May 2021, the attack had a huge impact on the United State's economy, crippling 45% of the fuel\r\nsupply for the US East Coast, disrupting businesses and regular consumers alike.\r\nFollowing several veiled threats from the White House in the aftermath of the attack, the Darkside gang shut down\r\nits operations a week later, citing a mysterious cyberattack following which they said they lost control over servers\r\nand some of their funds.\r\nThe group attempted a comeback over the summer, rebranding as BlackMatter and relaunching in July, but earlier\r\nthis week, the group said they are shutting down for a second time, citing pressure from local authorities and the\r\ndisappearance of some of its members.\r\nDarkside group members have a long history of cybercrime\r\nAll in all, the chances that security researchers will send tips about the gang's members and their real identities are\r\nvery high.\r\nThe cybersecurity community has been tracking the group since the early 2010s, typically under the codename of\r\nFIN7, when the group was primarily involved in carrying out attacks on point-of-sale systems.\r\nSome of these early FIN7 members were charged and subsequently arrested in 2018, a good indicator that the\r\ngroup may not live as deep in the shadows as they think they do.\r\nThe rewards offered today are not the first that the US government has offered for information on foreign hackers.\r\nPrevious cases include:\r\nhttps://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/\r\nPage 1 of 3\n\nJuly 2021 - a $10 million reward or any information that helps US authorities identify and locate threat\r\nactors \"acting at the direction or under the control of a foreign government\" that carry out malicious cyber\r\nactivities against US critical infrastructure.\r\nAugust 2020 - a $10 million reward for information on any person who works with or for a foreign\r\ngovernment for the purpose of interfering with US elections through \"illegal cyber activities.\"\r\nApril 2020 - a $5 million reward for information on North Korea's hackers and their ongoing hacking\r\noperations. \r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/\r\nhttps://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/" ], "report_names": [ "us-offers-10-million-reward-for-info-on-darkside-ransomware-group" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd74add551e1c569ac66031e565427d6c23077a1.pdf", "text": "https://archive.orkl.eu/cd74add551e1c569ac66031e565427d6c23077a1.txt", "img": "https://archive.orkl.eu/cd74add551e1c569ac66031e565427d6c23077a1.jpg" } }