Lockbit ransomware gang creates first malicious bug bounty program

Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service and bug bounty program.

According to Lockbit’s leak website, as part of the bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers” to provide received Information. personal form (PII) on famous individuals and web mining in exchange for remuneration ranging from $1,000 to $1 million.

The development came right after the scandal Conti ransomware group has disbanded and Lockbit is becoming one of the most active ransomware gangs, accounting for almost half of the total known ransomware attacks in May 2022.

What the malicious bug bounty program means for the threat landscape

Lockbit’s malicious reversal of the concept of legitimate bug bounty programs popularized by vendors like Bugcrowd and HackerOne, incentivizing security researchers to identify vulnerabilities so they can corrected, highlighting how malicious threats are evolving.

“With the demise of the Conti ransomware group, LockBit has positioned itself as the top active ransomware group today based on the number of their attacks in recent months. The release of LockBit 3.0 with the introduction of the bug bounty program is an official invitation to cybercriminals to help support the team in its quest to maintain its lead,” said Senior Staff Research Engineer at Tenable, Satnam Narang, said.

For LockBit, enlisting the help of researchers and criminals on the dark web not only has the potential to identify potential targets, but also to protect its leaked websites from law enforcement. law enforcement.

“The main focus of the bug bounty program is on defensive measures: preventing security researchers and law enforcement from finding bugs in leaked or ransomware sites, identifying ways in which members include including affiliate program owners can be annoyed, as well as sponsor errors in the message Narang said.

The writing on the wall is Lockbit’s rival approach that’s about to get much more complicated. Mike Parkin, Senior Technical Engineer at Vulcan Cyber, said: “Anyone doubting that cybercriminal gangs have reached the level of maturity that the opponents of the organizations they target may need. must be reevaluated.

What about potential limitations to Lockbit?

While seeking outside help could potentially strengthen Lockbit’s operations, others suspect that other threat actors will join in sharing information that they can exploit to infiltrate. target organizations.

At the same time, many legitimate researchers were able to redouble their efforts to find vulnerabilities in the group’s leak site.

“This development is different, however, I doubt that they will get many people involved. I know that if I find a loophole, I’ll use it to put them in jail. If a criminal finds a criminal, it will steal from them because there is no honor among the people running the ransomware,” said Threat Hunter Principal at Netenrich, John Bambenek.

How can organizations respond?

If threat actors are to engage in information sharing with Lockbit in exchange for rewards, organizations need to be much more proactive in mitigating the risk in their environment.

At the very least, security leaders should assume that any individual with knowledge of software supply chain vulnerabilities would be tempted to share them with the team.

“This should have every business consider the security of their internal supply chain, including who and what has access to their code, and any secrets therein. Unethical bounty programs like these turn passwords and keys into gold for everyone who has access to your codes,” said Head of Product Activation and Developer at BluBracket, Casey Bisson said.
Over the next few weeks, Vulnerability management should be a top priority, ensuring that there are no potential entry points in internal or external facing assets that potential attackers can exploit.