Bug bounty programs are no longer unusual, except in the criminal underworld. But even ransomware-as-a-service (RaaS) gangs appear to be adopting the idea as one of the most active, LockBit, has announced that it will pay all takers for choice information.
RaaS groups have tried all sorts of unorthodox tricks as billions of dollars have flowed from ransomware victims, including adopting the practices of respectable businesses in an attempt to legitimize themselves. While this latest gambit from LockBit is likely more of a publicity stunt than a genuine attempt at a bug bounty program, it reflects the comfort level that online criminals have settled into as they make millions of dollars every month and rarely face repercussions.
RaaS gangs continue to play at being legitimate businesses
RaaS gangs themselves are a big piece of the ongoing evolution of ransomware, which began with spam campaigns that sent emails to random individuals and has progressed to organized crime that targets the most lucrative and vulnerable with military precision.
The RaaS development has made ransomware attacks available to criminals that do not have nearly as much skill in this area, and these groups are now the leading source of ransomware attacks across the globe. LockBit is one of the leaders in this area and likely the most active current RaaS gang, with 220 victims recorded as of April 2022. The group attacks both Windows and Linux systems and was also very active in 2021.
Another big development in ransomware has been the splashy media announcement by RaaS operators to generate awareness of the group, which this bug bounty program most likely is. There would be little reason to trust a gang of thieves in the first place, or take them up on reward offers for information that could be put to better use elsewhere.
LockBit has put the offer out there, however, requesting information both about its own potential vulnerabilities and points of attack in other networks. The supposed bug bounty program offers varying amounts of money for different types of information, with the largest reward (of $1 million) offered to anyone who can manage to identify the group’s leader.
LockBit bug bounty program not likely to attract participants
LockBit is currently thought to be involved in around half of all ransomware attacks worldwide and is bringing in millions of dollars monthly. It’s not unheard of for groups of this magnitude to spend money on elements of legitimate business operation, such as research and development for new types of custom ransomware or monitoring of developments in cyber defense. But the bug bounty program is almost certainly meant to get the group’s name out, attract new criminal clients and intimidate future victims into paying.
LockBit has been on something of an advertising campaign as of late, announcing the release of “LockBit 3.0” and adding new “features” for its hacker partners to take advantage of when planning out their attacks.