The LockBit ransomware group has just released its latest ransomware-as-a-service offering, LockBit 3.0, and with it a first for Dark Web: a bug-bounty program.
The Bounty program offers rewards for personally identifiable information (PII) about valuable goals, security exploits, and more, according to screenshots of messages that appear to have been shared by LockBit actors.
“We invite all security researchers, ethical and unethical hackers on the planet,” the group reportedly wrote, offering payments for website errors, cabinet errors, TOX messenger exploits and information to boost doxxing campaigns, with payments starting at $ 1,000. The group is even willing to pay for new ideas for cybercrime, the ad says.
LockBit is on its way. In the wake of Conti’s shutdown, LockBit 2.0 emerged as the dominant ransomware-as-a-service group in May, with the dubious difference of being behind 40% of all ransomware attacks during the month. LockBit operators appear to be ready to exploit a new, malicious twist on bug-bounty programs.
‘No honor among Ransomware operators’
“I wish this surprised me,” said Mike Parkin, senior technical engineer at Vulcan Cyber, in response to the LockBit bug bounty launch. “But malware gangs have reached a level of maturity that they are literally professionally run companies.”
While the innovation is notable as a development in the ransomware industry, John Bambenek, chief threat hunter at Netenrich, said he doubts anyone would actually submit anything and expect to collect the bounty.
“This development is different, but I doubt they will get many participants,” Bambenek said in a statement to Dark Reading. “I know that if I find a vulnerability, I will use it to put them in jail. If a criminal finds one, it will be to steal from them because there is no honor among ransomware operators.”