Ride the Lightning

Ransomware Gang Offers Bounties for Vulnerabilities

July 7, 2022

We keep thinking it can’t get worse. And then – it does.

BankInfo Security reported on June 27 that the LockBit ransomware-as-a service group has said it will pay people who find exploitable vulnerabilities as well as bugs in its own software which it uses to encrypt files that would permit victims to recover their data.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” the group posted on its website. Bug bounties are programs normally intended to incentivize responsible disclosure of vulnerabilities by enticing researchers to submit their findings to the responsible vendor.

LockBit’s largest payout is reserved for anyone who reveals the real identity of the group’s affiliate program boss.

LockBit tied the announcement of its bounty to the rollout of a new version of its presumably improved malware, LockBit 3.0.

“Make Ransomware Great Again!” the group says.

 Some researchers are skeptical about whether the bug bounty will be a success.

“I doubt they will get many takers,” says John Bambenek, principal threat hunter at Netenrich, a security company. “I know that if I find a vulnerability, I’m using it to put them in prison. If a criminal finds one, it’ll be to steal from them because there is no honor among ransomware operators.”

Others say LockBit’s bug bounty program is merely an extension of what it already does. The gang has previously paid for vulnerabilities and bugs in applications including remote control tools and web applications, says Suleyman Ozarslan, co-founder and vice president of Picus Labs, a company that specializes in simulating hacking incidents.

“Leveraging both ethical and unethical hackers with these payment methods will result in more advanced ransomware,” Ozarslan tells ISMG.

Most experts agree that this development is a turning point. “Malware gangs have reached a level of maturity that they are, literally, professionally run businesses,” says Mike Parkin, senior technical marketing engineer at Vulcan Cyber, a risk management company. Bug bounties have been successful for major companies such as Microsoft and Google, he says. If a bug bounty is good enough for Silicon Valley, “why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”

 LockBit’s announcement puts “the fact that these groups are themselves commercial enterprises with significant budgets into perspective,” says Jake Williams, director of threat intelligence at cybersecurity firm Scythe.

 From February to March, the number of known ransomware victims surged from 185 to 283, according to consultancy NCC Group.

Based on attacks that have come to light, LockBit 2.0 was the most prolific, accounting for 96 of the 283 attacks, followed by Conti with 71 attacks, Hive with 26 attacks and BlackCat, aka Alphv, with 23 attacks, NCC Group says. Of the known victims, 44% are based in North America, followed by Europe with 38% and Asia with 7%, it adds.

That $1,000,000 bounty sure would make for a nice payday.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson