The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.

This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

Malicious Cyber Activity For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p’s abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p’s plan would help them avoid unwanted attention from law enforcement.

“Cl0p’s approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware’s squeakiest wheel.”

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you’re in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW