The active ransomware group LockBit has released a new one version of the “LockBit 3.0” malware over the weekend and announced a bug bounty program that offers rewards for potential ways to improve the ransomware's functionality.
While few details were given about the technical improvements to the ransomware-as-a-service operation, the team invited all security researchers and hacker to participate in a bug bounty program, which reportedly offers rewards ranging from $1.000 to as much as $1 million.
Lockbit ransomware group announced today Lockbit 3.0 is officially released with the message: "Make Ransomware Great Again!"
Additionally, Lockbit has launched their own Bug Bounty program paying for PII on high-profile individuals, web security exploits, and more… pic.twitter.com/ByNFdWe4Ys
— vx-underground (@vxunderground) June 26, 2022
The team is looking for bugs in its website, bugs in ports, and ideas to improve the malware, among other things.
But several security researchers do not believe in the effectiveness of LockBit's bug bounty program.
"Since Lockbit 3.0's bug bounty program is essentially inviting people to help a felony for a reward, they may think that $1.000 is a bit much because of the risks involved for those who might decide to help them." said Casey Ellis, founder of Bugcrowd.
“I doubt security researchers will be interested. I know if I find a vulnerability, I'll use it to put them in jail," said John Bambenek, a threat hunter at cybersecurity firm Netenrich. "If a criminal finds a bug, it will be to steal them because there is no honor among ransomware administrators."
However, the introduction of a bug bounty program highlights how ransomware groups now operate. They seem to exist in the dianetwork with impunity and in some cases have grown so much that they look like normal businesses.