While businesses have yet to recognize the importance of running bug bounty programs fully, cybercriminals have seemingly realized this potential. Thus, in an ironic move, the LockBit ransomware gang has debuted a bug bounty program for its LockBit 3.0.
LockBit 3.0 Ransomware But Bounty Program
Reporting what they spotted on the dark web, Bleeping Computer’s Lawrence Abrams explained that the LockBit threat actors announced $1000 to $1 million bounties for finding and reporting various issues in the LockBit 3.0 structure.
LockBit 3.0 is the latest variant of the notorious LockBit ransomware, following LockBit 2.0. The attackers recently launched the 3.0 variant after two months of beta-testing. Yet, despite the short time, it has emerged as a potent malware comprising 40% of the most ransomware attacks in May 2022.
With the formal 3.0 variant release, the LockBit gang also announced the first ransomware bug bounty program. According to the statement given on their dark net website,
We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million.
Another thing making it different from conventional bug bounty programs is the side offer for “brilliant ideas.” The attackers would reward anyone sharing ideas for improving the ransomware operations and doxing the affiliate program manager.
Regarding the “scope” of this bug bounty program, the attackers list the following as eligible for bounties.
- Website bugs, like MySQL injections and XSS, which allow getting the decryptor or reveal correspondence with victims.
- Locker bugs that allow file decryption without the decryptor.
- Doxing the affiliate program boss ($1 million bounty pledged).
- TOX messenger bugs.
- Tor network bugs that expose the site’s servers.
- Brilliant ideas for improving ransomware operations
For the payments, LockBit has chosen Zcash and Monero, two hard-to-trace privacy coins.
Of course, while it’s lucrative, it isn’t legitimate for the ethical hackers and bug bounty hunters to participate in this program, as doing so would only assist the criminals.