Lockbit ransomware gang creates first malicious bug bounty program

Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and bug bounty program.

According to Lockbit’s leak site, as part of its bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers to provide personally identifiable information (PII) about high-profile individuals and web exploits in exchange for a fee ranging from $1,000 to $1,000. $1 million.

The development comes shortly after the infamous Conti ransomware group disbanded, and as Lockbit becomes one of the most prolific ransomware gangs, accounting for nearly half of all known ransomware attacks by May 2022.

What a malicious bug bounty program means for the threat landscape

Lockbit’s malicious inversion of the concept of legitimate bug bounty programs, popularized by providers like Bugcrowd and HackerOne, that incentivize security researchers to identify vulnerabilities so they can be fixed, shows how malicious threats evolve.

“With the fall of the Conti ransomware group, LockBit has positioned itself as the top ransomware group active today based on the number of attacks over the past few months. The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to assist the group in its quest to stay on top,” said Senior Staff Research Engineer at Tenable, Satnam Narang.

For LockBit, enlisting the help of dark web researchers and criminals has the potential not only to identify potential targets, but also to secure the leaking sites from law enforcement.

“A key focus of the bug bounty program is defensive measures: preventing security researchers and law enforcement from finding bugs on the leaking sites or ransomware, identifying ways in which members, including the boss of the affiliate program, can be sedated, as well as funding bugs. in the messages. software used by the group for internal communications and the Tor network itself,” said Narang.

The sign on the wall is that Lockbit’s hostile approach is about to get much more sophisticated. “Anyone who still doubts cybercriminal gangs has reached a maturity level that rivals the organizations they target,” said Mike Parkin, Senior Technical Engineer at Vulcan Cyber.

What about the potential downsides to Lockbit?

While seeking outside support can improve Lockbit’s operations, others are skeptical that other threat actors will participate in sharing information that they could misuse to gain access to target organizations.

At the same time, many legitimate researchers may redouble their efforts to find vulnerabilities on the group’s leak site.

“This development is different, but I doubt they will get many takers. I know that if I find a vulnerability, I’ll use it to put them in jail. If a criminal finds one, it’s to steal from them, because there’s no honor among ransomware operators,” said John Bambenek, Netenrich’s Principal Threat Hunter.

How can organizations respond?

When threat actors share information with Lockbit in exchange for a reward, organizations must be much more proactive in mitigating risk in their environment.

Security leaders should at least assume that individuals with knowledge of software supply chain vulnerabilities will be tempted to share them with the group.

“As a result, every company should look at the security of their internal supply chain, including who and what has access to their code, and any secrets within it. Unethical bounty programs like this one turn passwords and keys in code to gold for anyone who has access to your code,” said Casey Bisson, Head of Product and Developer Enablement at BluBracket.
Vulnerability management should be a top priority in the coming weeks to ensure there are no potential entry points in internal or external assets that potential attackers could exploit.