US Gov’t Puts $10M Bounty on CL0P as MOVEit Fallout Continues
The U.S. State Department is offering a $10 million bounty for information related to the Cl0p ransomware gang, which is thought to be behind the MOVEit Transfer vulnerabilities targeting federal government agencies.
“Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward,” the Rewards for Justice Twitter account tweeted on June 16.
The U.S. Department of Energy, along with several other U.S. agencies, state government organizations and educational institutions, have fallen victim to the widespread attack campaign.
This campaign has been fueled by a vulnerability in MOVEit Transfer, a widely used file transfer application, and the scope of the attacks rapidly expanded as the Cl0p ransomware group exploited flaws in the software supply chain.
The number of data theft victims due to the MOVEit vulnerability aren’t yet known. Cl0p has used double extortion attacks in the past by stealing and encrypting data, refusing to decrypt and then leaking or selling the exfiltrated data.
“This is the trend with ransomware criminal gangs. Extortion is more lucrative than encryption-based ransomware alone,” said Timothy Morris, chief security advisor at Tanium.
A Matter of National Security
The attack on multiple U.S. federal government agencies has also raised serious concerns about potential compromise of sensitive information, data loss and national security implications.
According to CISA’s cybersecurity advisory, this ransomware gang, also known as TA505, is prolific and considered one of the largest “phishing and malspam distributors worldwide” and is “driving global trends in criminal malware distribution.” Morris pointed out that Cl0p is a serious threat actor; it is suspected that Cl0p has already stolen huge amounts of data from many victims.
In theory, a large bounty could incentivize insiders or other knowledgeable individuals to provide crucial information.
From Morris’ perspective, offering a bounty of this size shows how seriously the U.S. government is taking this group and their actions.
“As with any reward or bounty, there are pros and cons. They’re offered because they work. $10 million is a lot of money,” he said. “Most traffers or affiliates make a percentage of ransoms paid or have fixed incomes for $1,000 or $2,000 a month; that large of a bounty would be enticing to them.”
But the bounty strategy is not without its risks—offering a bounty could anger the criminal gang and cause more damage.
“They could escalate their tactics, publishing data and publicly naming and shaming their victims,” Morris said.
Other downsides include the potential for numerous amounts of false-positive “tips” that have to be sourced and followed up or a disproportionate focus on one group that later is proven false.
“It can encourage unethical or unregulated actions by bounty hunters,” Morris noted. “One would hope that a bounty would lead to a takedown. In the past, most takedowns slow down bad actors. Like pruning weeds, it may stop one weed but many more sprout up. That being said, I agree with the approach.”
Craig Jones, vice president of security operations at Ontinue, agreed that this strategy could backfire in several ways.
He said one potential downside is that it could inspire other cybercriminals to see the large bounty as an indication of how lucrative their activities can be.
“It could also potentially legitimize ransomware gangs in the eyes of some, by treating them as entities worth negotiating with,” he said. “Furthermore, there’s always a risk that individuals might provide false information in an attempt to claim the bounty.”
Jones pointed out that the U.S. government could do more to protect U.S. critical infrastructure by investing in stronger cybersecurity measures, promoting good cybersecurity practices and building a robust incident response capability.
“They can also foster greater cooperation and information sharing between the public and private sectors, especially in industries that manage critical infrastructure,” he said. “Investing in cybersecurity education and training, as well as research into new security technologies, is also important.”
