The LockBit ransomware group just released its latest ransomware-as-a-service offering, LockBit 3.0, and along with it a first for the Dark Web: a bug-bounty program.
The bounty program offers up rewards for personal identifiable information (PII) on high-value targets, security exploits, and more, according to screen grabs of messages that appear to have been shared by LockBit actors.
"We invite all security researchers, ethical and unethical hackers on the planet," the group reportedly posted, offering payments for website bugs, locker bugs, TOX messenger exploits, and information to fuel doxxing campaigns, with payments starting at $1,000. The group is even willing to pay for fresh cybercrime ideas, the ad say.
LockBit is on a roll. In the wake of Conti's shutdown, LockBit 2.0 emerged as the dominant ransomware-as-a-service group in May, with the dubious distinction of being behind 40% of all ransomware attacks during the month. LockBit operators seem poised to capitalize with a new, malicious twist on bug-bounty programs.
'No Honor Among Ransomware Operators'
"I wish this surprised me," Mike Parkin, senior technical engineer at Vulcan Cyber, said in reaction to the LockBit bug-bounty launch. "But malware gangs have reached a level of maturity that they are, literally, professionally run businesses."
While the innovation is noteworthy as a development in the ransomware business, John Bambenek, principal threat hunter at Netenrich, said he doubts anyone would actually submit something and expect to collect the bounty.
"This development is different; however, I doubt they will get many takers," Bambenek said in a statement provided to Dark Reading. "I know that if I find a vulnerability, I'm using it to put them in prison. If a criminal finds one, it'll be to steal from them because there is no honor among ransomware operators."