In a new twist on the ransomware game, the LockBit cybercrime group has launched a bug bounty program promising money to people willing to share sensitive data that can be exploited in ransomware attacks. A recent tweet posted by the vx-underground account, which publishes malware samples, says that through the new bounty program, LockBit will pay for personally-identifiable information on “high-profile individuals, web security exploits and more.”
The bounty program is being unveiled with the release of LockBit 3.0, the latest version of the gang’s ransomware-as-a-service product and one already being used in new ransomware attacks. At its LockBit 3.0 bug bounty site, the group is inviting “all security researchers, ethical and unethical hackers on the planet” to participate in their bug bounty program. The rewards for leaking personal data vary from $1,000 to as much as $1 million.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Bug bounty programs are typically used by legitimate companies as a way to coax security researchers and hackers to find vulnerabilities in their software code. This move by LockBit apparently is the first time a cybercrime group is using the same concept — except this time for nefarious purposes. This development also comes as ransomware groups are increasingly being run like legal enterprises with a business structure and model.
“Businesses offer bug bounties to get more eyes on their code, hoping they offer enough of a reward to entice researchers to take a look and responsibly disclose what they find,” said Mike Parkin, senior technical engineer at cyber risk company Vulcan Cyber. “Now, with the LockBit ransomware gang apparently offering bug bounties of their own, anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target may need to reassess. They have taken a page straight from a mature organization’s development playbook.”
The LockBit 3.0 bounty site even includes a menu of bug bounty categories of interest to the gang, as revealed by Bleeping Computer. The group promises payment for website bugs such as cross-site scripting vulnerabilities and SQL injections. But it goes beyond just vulnerabilities. The gang says it will pay for errors found in its own ransomware encryption and decryption process, flaws that could allow root access to its own servers and even “brilliant ideas” that can help it improve its site and software.
But the most lucrative offer is in the form of $1 million, paid for doxing the affiliate program boss. This means that the group is challenging people to find the real identity of LockBit’s affiliate program boss, someone known only as LockBitSupp, and is willing to pay a lot to see if anyone can identify them. This offer has been around since at least March 2022, when LockBitSupp promised $1 million to the FBI agent who could “de-announce” them.
The LockBit bug bounty program naturally relies on finding unethical researchers, hackers and other individuals willing to provide criminals with sensitive data to make a quick buck. Though most organizations want to trust their employees and partners, the sad reality is that businesses have to make sure assets are protected against all threats, both external and internal.
“The bigger headline here is that attackers are increasingly finding they can buy access to the companies and systems they want to attack,” said Casey Bisson, head of product and developer enablement at security firm BluBracket. “This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code and any secrets in it. Unethical bounty programs like this turn passwords and keys in code into gold.”