The US government is offering a reward of up to $10 million for information that leads to the identification or location of any individual engaged in criminal activities while working on behalf of a foreign government. The Department of State has noted that such cybercriminals have recently targeted US critical infrastructure, violating the Computer Fraud and Abuse Act. These individuals are believed to be primarily involved in the Clop ransomware operation.
Over the past few months, the Clop (or CL0P) malware has exploited systems using the Moveit file transfer application by exploiting a previously unknown SQL injection vulnerability, tracked as CVE-2023-34362. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have published a joint security advisory, offering affected organizations recommendations and mitigation strategies to defend themselves against the zero-day flaw and the malware.
The Clop group began exploiting the Moveit vulnerability on May 27th, just in time for the US Memorial Day holiday, reportedly extracting files from hundreds of private companies. According to CNN, the Clop ransomware was later used to breach several US federal agencies as well.
In response to the cyberattacks, the US government is now offering a $10 million reward for any assistance in identifying or apprehending the cybercriminals. The attacks were likely successful in compromising the Department of Energy and other federal agencies that handle critical issues and infrastructure. Washington is open to receiving tips via secure messaging apps such as Signal, WhatsApp, and Telegram, or through an encrypted link hosted on Tor’s darknet.
According to Bleeping Computer, the Clop gang has now initiated the extortion phase of its latest wave of ransomware attacks. They’ve done this by listing the compromised companies on a Tor data leak site. If the affected organizations do not comply with the ransom demand, the message warns that the stolen files will be leaked online.
The Clop cybercriminals claim their motivations are purely financial, with no interest in politics. When their ransomware net catches some government data from exposed or unprotected systems, the unknown criminals state, they do the “polite thing” by deleting all the stolen files.
However, as with any modern cybercrime or ransomware operation, there’s no reason to believe the Clop actors’ assertions. Consequently, the US government is operating under the assumption that the criminals have stolen sensitive files, and that identifying them is critical for effectively neutralizing the threat.