Criminals Offer $1,000 to $1M for Vulnerabilities(@prajeetspeaks) •
June 27, 2022
A ransomware group is taking a page out of the white hat hacker playbook to offer a bug bounty program for researchers willing to aid in cybercriminality.
The LockBit ransomware-as-a-service group says it will pay individuals who find exploitable vulnerabilities as well as bugs in the software it uses to maliciously encrypt files that would allow victims to rescue their data.
“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” the group posted on its website, according to malware repository vx-underground. Bug bounties are programs intended to incentivize responsible disclosure of vulnerabilities by enticing researchers to submit their findings to the responsible vendor.
LockBit’s largest payout is reserved for anyone who reveals the real identity of the group’s affiliate program boss.
The prolific ransomware gang tied the announcement of its bounty to the rollout of a new version of its presumably improved malware, LockBit 3.0.
“Make Ransomware Great Again!” the group says.
Will Researchers Participate in a Criminal Bug Bounty Program?
Color at least some researchers skeptical about whether the bug bounty will go as planned for LockBit.
“I doubt they will get many takers,” says John Bambenek, principal threat hunter at Netenrich, a security company. “I know that if I find a vulnerability, I’m using it to put them in prison. If a criminal finds one, it’ll be to steal from them because there is no honor among ransomware operators.”
Others say LockBit’s bug bounty program is merely an extension of what it already does. The gang has previously paid for vulnerabilities and bugs in applications including remote control tools and web applications, says Suleyman Ozarslan, co-founder and vice president of Picus Labs, a company that specializes in simulating hacking incidents.
“Leveraging both ethical and unethical hackers with these payment methods will result in more advanced ransomware,” Ozarslan tells ISMG.
Regardless, most agree that it does mark a turning point. “Malware gangs have reached a level of maturity that they are, literally, professionally run businesses,” says Mike Parkin, senior technical marketing engineer at Vulcan Cyber, a risk management company. Bug bounties have been successful for major companies such as Microsoft and Google, he says. If a bug bounty is good enough for Silicon Valley, “why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”
If nothing else, LockBit’s announcement puts “the fact that these groups are themselves commercial enterprises with significant budgets into perspective,” says Jake Williams, director of threat intelligence at cybersecurity firm Scythe.
Increase in Ransomware
From February to March, the number of known ransomware victims surged from 185 to 283, consultancy NCC Group reported in March (see: Cybercrime: Ransomware Attacks Surging Once Again).
Based on attacks that have come to light, LockBit 2.0 was the most prolific, accounting for 96 of the 283 attacks, followed by Conti with 71 attacks, Hive with 26 attacks and BlackCat, aka Alphv, with 23 attacks, NCC Group says. Of the known victims, 44% are based in North America, followed by Europe with 38% and Asia with 7%, it adds.
Matt Hull, cyberthreat intelligence manager at the NCC Group, previously told Information Security Media Group that with ransomware attacks increasing – as expected after the seasonal reduction in January – organizations should double down on appropriate security measures.
“This is especially important for the industrials sector, which continues to be the most frequent victim of ransomware,” he said.