Ransomware-as-a-Service Gang LockBit Has Bug Bounty Program

A ransomware group took a page out of the white hat hacker playbook to offer a bug bounty program for researchers willing to aid in cybercriminality.

The LockBit ransomware-as-a-service group says it will pay individuals who find exploitable vulnerabilities as well as bugs in the software it uses to maliciously encrypt files that would allow victims to rescue their data.

LockBit’s largest payout is reserved for anyone who reveals the real identity of the group’s affiliate program boss.

The prolific ransomware gang tied the announcement of its bounty to the rollout of a new version of its presumably improved malware, LockBit 3.0.

“Make Ransomware Great Again!”.

Will Researchers Participate in a Criminal Bug Bounty Program?

Color at least some researchers skeptical about whether the bug bounty will go as planned for LockBit.

Others say LockBit’s bug bounty program is merely an extension of what it already does. The gang has previously paid for vulnerabilities and bugs in applications including remote control tools and web applications, says Suleyman Ozarslan, co-founder and vice president of Picus Labs, a company that specializes in simulating hacking incidents.

Regardless, most agree that it does mark a turning point. “Malware gangs have reached a level of maturity that they are, literally, professionally run businesses,” says Mike Parkin, senior technical marketing engineer at Vulcan Cyber, a risk management company. Bug bounties have been successful for major companies such as Microsoft and Google, he says. If a bug bounty is good enough for Silicon Valley, “why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”

If nothing else, LockBit’s announcement puts “the fact that these groups are themselves commercial enterprises with significant budgets into perspective,” says Jake Williams, director of threat intelligence at cybersecurity firm Scythe.

Yesterday Lockbit ransomware group announced the release of Lockbit 3.0 and their ransomware "Bug Bounty" program.

Today Lockbit ransomware group introduced a new feature to their leak site.

– They encourage harassment of victims
– They allow bidding on data sale or destruction pic.twitter.com/2MFGKqAK2y

— vx-underground (@vxunderground) June 27, 2022

Increase in Ransomware

From February to March, the number of known ransomware victims surged from 185 to 283, consultancy NCC Group reported in March (see: Cybercrime: Ransomware Attacks Surging Once Again).

Based on attacks that have come to light, LockBit 2.0 was the most prolific, accounting for 96 of the 283 attacks, followed by Conti with 71 attacks, Hive with 26 attacks and BlackCat, aka Alphv, with 23 attacks, NCC Group says. Of the known victims, 44% are based in North America, followed by Europe with 38% and Asia with 7%, it adds.

Matt Hull, cyberthreat intelligence manager at the NCC Group, previously told Information Security Media Group that with ransomware attacks increasing – as expected after the seasonal reduction in January – organizations should double down on appropriate security measures.