Whereas companies have but to acknowledge the significance of operating bug bounty packages absolutely, cybercriminals have seemingly realized this potential. Thus, in an ironic transfer, the LockBit ransomware gang has debuted a bug bounty program for its LockBit 3.0.
LockBit 3.0 Ransomware However Bounty Program
Reporting what they noticed on the darkish internet, Bleeping Pc’s Lawrence Abrams explained that the LockBit risk actors introduced $1000 to $1 million bounties for locating and reporting numerous points within the LockBit 3.0 construction.
LockBit 3.0 is the most recent variant of the infamous LockBit ransomware, following LockBit 2.0. The attackers not too long ago launched the three.0 variant after two months of beta-testing. But, regardless of the brief time, it has emerged as a potent malware comprising 40% of essentially the most ransomware assaults in Might 2022.
With the formal 3.0 variant launch, the LockBit gang additionally introduced the primary ransomware bug bounty program. Based on the assertion given on their darkish internet web site,
We invite all safety researchers, moral and unethical hackers on the planet to take part in our bug bounty program. The quantity of remuneration varies from $1000 to $1 million.
One other factor making it completely different from typical bug bounty packages is the facet provide for “good concepts.” The attackers would reward anybody sharing concepts for enhancing the ransomware operations and doxing the associates program supervisor.
Concerning the “scope” of this bug bounty program, the attackers listing the next as eligible for bounties.
- Web site bugs, like MySQL injections and XSS, which permit getting the decryptor or reveal correspondence with victims.
- Locker bugs that enable file decryption with out the decryptor.
- Doxing the associates program boss ($1 million bounty pledged).
- TOX messenger bugs.
- Tor community bugs that expose the positioning’s servers.
- Good concepts for enhancing ransomware operations
For the funds, LockBit has chosen Zcash and Monero, two hard-to-trace privateness cash.
In fact, whereas it’s profitable, it isn’t reputable for the moral hackers and bug bounty hunters to take part on this program, as doing so would solely help the criminals.