Chris Swagler | July 1st, 2022

“LockBit 3.0”, the first ransomware bug bounty program, was introduced by the LockBit ransomware operation along with leaking new extortion tactics and Zcash cryptocurrency payment options. The ransomware operation has become the most prolific ransomware operation since launching in 2019 and has accounted for 40% of all ransomware attacks in May 2022. After two months of beta testing and with the new version already being deployed in attacks, the cybercrime group released LockBit 3.0, an updated ransomware-a-as-service (RaaS) operation. The ransom notes changed from “Restore-My-Files.txt” to [id].README.txt, however, it’s unknown what technical changes were made to the encryptor.

With releasing LockBit 3.0, the operation launched the first bug bounty program in which the ransomware group is offering security researchers money to submit bug reports. The LockBit 3.0 bug bounty page explains that the group is inviting all global security researchers, including ethical and unethical threat operators, to take part in its bug bounty program with compensation ranging from $1,000 to $1 million. Helping criminal operations is illegal in many countries; however, the bug bounty program is different from those used by legitimate companies. LockBit pays bounties for “great ideas” on how to improve the ransomware operation and for doxing the affiliate program manager along with offering bounties for vulnerabilities. The LockBit 3.0 operation includes numerous bug bounty categories:

The $1 million reward was offered on the XSS hacking forum in April for identifying the affiliate manager, LockBitSupp.

Visitors are greeted by an animated logo with numerous cryptocurrency icons moving around it when they open Tor sites for negotiation and data leak sites. The cryptocurrency icons displayed in the animation include Zcash, a privacy coin, along with Monero and Bitcoin, which the operation has previously accepted as a ransom payment. It’s not surprising that ransomware operation has added Zcash as a payment option. Even though Monero is also a privacy coin, most US crypto exchanges don’t host it. Bitcoin can be tracked because of the cryptocurrency tracking companies and law enforcement seizures. Currently, Coinbase, the most popular US crypto exchange, is offering the coin for sale which makes it easier for victims to pay ransoms. However, the United States government will probably put pressure to have it removed from US exchanges if ransomware operations start accepting payments in this coin.

The LockBit 3.0 operation is using a new extortion model allowing threat actors to buy stolen data from attacks. A new HTML modal dialog that allows people to buy data leaked on the site is displayed as one of the JavaScript files used by the new LockBit 3.0 data leak site. The models provide the option to purchase the data and download it through a Torrent or directly from the website. Depending on the size of the stolen data, different options are available, with Torrents being utilized for large data dumps and direct downloads for smaller amounts. It’s unclear how the new extortion method will work or if it’s activated because the LockBit 3.0 data leak site doesn’t have any victims. With its public-facing operator actively interacting with other threat actors and the cybersecurity community.

With ransomware operators continuously adopting new tactics, technology, and payment methods, it’s critical for network professionals and companies to remain up to date with operations’ evolution and regularly update their data networks’ security infrastructure. At SpearTip, our advisory services allow our certified engineers to engage with companies’ people, processes, and technology to measure the maturity of the technical environment. Our extensive experience of responding to thousands of security incidents improves companies’ operational, procedural, and technical control gaps based on security standards. Furthermore, our ShadowSpear Platform evaluates the effectiveness of current technical control which allows our Security Operations Center to hunt and identify advanced ransomware.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.