LockBit ransomware gang launches bug bounty programme

In what is likely a world’s first, the operators of LockBit have added a bug bounty programme as they launch version 3.0 of their ransomware, offering pay-outs to those that discover vulnerabilities on their leak website and in their code.

In screengrabs circulated online, the ransomware-as-a-service (RaaS) gang says it aims to “make ransomware great again” and details a range of areas in which it is seeking input from “all security researchers, ethical and unethical hackers on the planet”, with payments starting from $1,000.

The LockBit gang is particularly keen to hear about website bugs, such as cross-site scripting (XSS) vulnerabilities that could enable outsiders to obtain its decryption tool or access its victim chat logs, or bugs in its locker that could let victims recover their files without paying for the decryption tool.

It appears to also be offering a $1m bounty for doxing both high-profile targets, as well as the head of its affiliate programme, although the language on this point is unclear. It is, however, perhaps worth noting that previous intelligence gleaned by Trend Micro suggests LockBit is known for recruiting insiders to carry out its attacks.

Lockbit ransomware group announced today Lockbit 3.0 is officially released with the message: “Make Ransomware Great Again!”

Additionally, Lockbit has launched their own Bug Bounty program paying for PII on high-profile individuals, web security exploits, and more... pic.twitter.com/ByNFdWe4Ys

— vx-underground (@vxunderground) June 26, 2022

Commenting on the unusual move, Suleyman Ozarslan, cofounder of Picus Security, said that it characterised the ongoing evolution towards more collaboration within the cyber criminal world, as typified by the use of initial access brokers (IABs), for example.

“The LockBit ransomware gang [has] expanded the use of other financially motivated threat actors with Lockbit 3.0. Previously, they paid for vulnerabilities and bugs in applications including remote control tools and web applications. Now, they also pay for private personal information about important persons for their doxing campaigns,” said Ozarslan.

“Moreover, they are now paying for bugs to improve their tools and sourcing ideas to improve their website and ransomware. This includes locker bugs, the bugs in the encryption mechanism of ransomware, vulnerabilities in their messaging tool, the Tox messenger, and their messaging channel on the Tor network.

“In my opinion, leveraging both ethical and unethical hackers with these payment methods will result in more advanced ransomware.”

According to Computer Weekly’s sister publication, LeMagIT, the source code of LockBit’s site suggests a number of other refinements in version 3.0, including new means of monetisation and data recovery, or even destruction should the victim choose, and the ability for victims to pay in the Zcash cryptocurrency, in addition to Bitcoin and Monero.

Active since late 2019, LockBit has emerged as a significant threat to organisations, and although it has not yet achieved the infamy accorded to the likes of Conti or REvil, the downfall of Conti has left a gap in the market that it is happy to fill.

Last month, the gang’s previous ransomware, LockBit 2.0, accounted for 40% of attacks observed by NCC Group. Matt Hull, NCC global lead for strategic threat intelligence, said: “Lockbit 2.0 has fast cemented its place as the most prolific threat actor of 2022. It is crucial that businesses familiarise themselves with their tactics, techniques, and procedures. It will give them a better understanding of how to protect against attack and the most appropriate security measures to implement.”

Trend Micro noted LockBit’s core operators or developers are particularly technically adept at developing what one might reasonably term a high-performance ransomware that is particularly speedy and efficient.

The launch of LockBit 2.0 saw it debut a new malware called StealBit to automate data exfiltration, and it has also led the charge towards targeting Linux hosts, specifically ESXi servers. There is no reason to suppose LockBit 3.0 will be any less sophisticated.

Based on Trend’s metrics, gathered between June 2021 and January 2022, the most LockBit-related detections were seen in the healthcare sector, followed by education, technology, financial services and manufacturing. An analysis of its leak site, between December 2021 and January 2022, found most victims were in financial or professional services, followed by the industrial, legal and automotive sectors.

A further point to be aware of includes a possible preference for victims in Europe who may be motivated to pay out of fear of being found in breach of the General Data Protection Regulation (GDPR).