Lockbit ransomware gang creates first malicious bug bounty program

Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. 

According to Lockbit’s leak site, as part of the bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers” to provide Personally Identifiable Information (PII) on high-profile individuals and web exploits in exchange for remuneration ranging from $1,000 to $1 million.  

The development comes shortly after the notorious Conti ransomware group disbanded, and as Lockbit is becoming one of the most prolific ransomware gangs in operation, accounting for almost half of all known ransomware attacks in May 2022. 

What a malicious bug bounty program means for the threat landscape 

Lockbit’s malicious inversion of the concept of legitimate bug bounty programs popularized by providers like Bugcrowd and HackerOne, which incentivize security researchers to identify vulnerabilities so they can be fixed, highlights how malicious threats are evolving.

“With the fall of the Conti ransomware group, LockBit has positioned itself as the top ransomware group operating today based on its volume of attacks in recent months. The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,” said Senior Staff Research Engineer at Tenable, Satnam Narang. 

For LockBit, enlisting the help of researchers and criminals across the dark web has the potential not only to identify potential targets, but to secure its leak sites against law enforcement. 

“A key focus of the bug bounty program are defensive measures: preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as funding bugs within the messaging software used by the group for internal communications and the Tor network itself,” Narang said. 

The writing on the wall is that Lockbit’s adversarial approach is about to get much more sophisticated.  “Anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target may need to reassess,” said Senior Technical Engineer at Vulcan Cyber, Mike Parkin.

What about the potential drawbacks for Lockbit?

While seeking external support has the potential to enhance Lockbit’s operations, others are skeptical that other threat actors will participate in sharing information that they could exploit to gain entry to target organizations. 

At the same time, many legitimate researchers may double their efforts to find vulnerabilities in the group’s leak site. 

“This development is different, however, I doubt they will get many takers. I know that if I find a vulnerability, I’m using it to put them in prison. If a criminal finds one, it’ll be to steal from them because there is no honor among ransomware operators,” said Principal Threat Hunter at Netenrich, John Bambenek. 

How can organizations respond?

If threat actors do engage in sharing information with Lockbit in exchange for a reward, organizations need to be much more proactive about mitigating risks in their environment.  

At the very least, security leaders should assume that any individuals with knowledge of vulnerabilities in the software supply chain will be tempted to share them with the group. 

“This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it. Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code,” said Head of Product and Developer Enablement at BluBracket, Casey Bisson.
Over the next few weeks, vulnerability management should be a top priority, making sure that there are no potential entry points in internal or external facing assets that potential attackers could exploit.