LockBit Introduces First Ransomware Bug Bounty Program
In other cybersecurity news …
The LockBit ransomware operation has released “LockBit 3.0,” a new ransomware as a service (RaaS) and the first ransomware bug bounty program.
In screengrabs circulated online, the RaaS gang says it aims to “make ransomware great again.” It will pay “all security researchers, ethical and unethical hackers on the planet” to provide personally identifiable information (PII) on high-profile individuals and web exploits. Payments range from $1,000 up to $1 million.
The ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting for nearly half of all known ransomware attacks in May 2022.
Casey Bisson is head of product and developer enablement at BluBracket, a provider of code security solutions.
“Legitimate bounty programs developed as an alternative to dark web marketplaces where vulnerabilities and PII have been exchanged for over a decade,” he said. “These ethical hacking programs have been enormously successful in helping to uncover attackable vulnerabilities and create a culture of responsible disclosure that has benefitted participants in these programs, security researchers, and helped to raise security awareness and skill across the industry. It’s no surprise to see ransomware groups refining their methods and services in the face of that competition.”
The bigger headline here is that attackers are increasingly finding they can buy access to the companies and systems they want to attack, Bisson said.
“This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it,” he said. “Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code.”
Mike Parkin is senior technical engineer at Vulcan Cyber.
“Businesses offer bug bounties to get more eyes on their code, hoping they offer enough of a reward to entice researchers to take a look and responsibly disclose what they find,” he said. “Now, with the Lockbit ransomware gang apparently offering bug bounties of their own, anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target may need to reassess. They have taken a page straight from a mature organization’s development playbook. If it works for a major player like Microsoft, Google or Apple, why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”
Malware gangs have caught up with conventional organized crime syndicates at this point, and it’s going to take an international effort to stop them, Parkin said.
“Unfortunately, we all know how well that’s worked overall,” he said.
