Like a normal company, the LockBit ransomware group has started a bug bounty program in which other programmers are supposed to report bugs that reveal their IP and more. The reward pot is said to be worth over $XNUMX million.
Normal software companies use the classic bug bounty programs to improve their software. That this now loud ComputerWeekly.com making a ransomware group official is really new. However, the LockBit Group does not only expect or reward hints of errors in their ransomware. Worthwhile targets should also be reported, for example if a company's website is vulnerable to cross-scripting.
Rewards starting at $1000
In screenshots circulating online, the ransomware-as-a-service (RaaS) gang announces that they aim to "make ransomware great again". It also describes a number of areas where tips from "all security researchers, ethical and unethical hackers" pay rewards starting at $1.000.
The LockBit gang is particularly interested in hearing about website bugs, such as: B. Cross-site scripting (XSS) vulnerabilities. These enable the encryption tool to infiltrate or to find out whether further security measures have already been taken. In this case, an attempt would first be made to take control, for example via versioning of files, and thus prevent the encrypted data from being restored. Just like what happened with an attack on OneDrive.
Insiders wanted
According to previous findings by Trend Micro, the gang is also always looking for insiders who will betray their employer for a reward and grant the gang access or leak access. But the gang also wants to reward tips for top-class goals. It should go to bonuses up to one million dollars.
LockBit is currently at the top of the most successful ransomware attacks. At least that's what Malwarebytes says in its May 2022 report on ransomware.