Ransomware-as-a-service (RaaS) operators will never be regarded as legitimate businesses, but this has not stopped them from copying the organizational structure of a standard corporation. The LockBit gang is the latest to push the envelope by offering the criminal underworld’s first known bug bounty program.
Ransomware has become a billion-dollar industry globally, with some estimates now putting average payments at $1 million to $2 million. With this much money in play, the biggest names in the business have started adopting professional structures for more efficient operations: everything from hiring contractors for piecework through legitimate job portal sites (who often aren’t aware they are working for a criminal outfit) to setting up internal human resources departments to manage workers.
LockBit bug bounty program a first for the ransomware world
LockBit’s bug bounty program does differ substantially from that of a legitimate organization, however. Companies usually offer rewards to ethical hackers who uncover and privately report potential vulnerabilities before they can be exploited; LockBit also wants their unethical counterparts to dial in with exploits and personally identifiable information that can be used against future victims. The RaaS group is offering payments ranging from $1,000 to $1,000,000 USD in return for both illicit information and help in improving their own internal security. And, in what is assuredly meant as a publicity stunt, the group offered its largest possible reward for revealing the identity of the leader of the gang.
LockBit is one of the biggest RaaS groups in operation at the moment, estimated by security researchers to be involved with nearly half of the worldwide ransomware attacks conducted in May. Raking in tens of millions in ransomware payments annually, LockBit can likely afford to offer a bug bounty program. The question is whether anyone lacking the scruples to participate would actually trust the group to pay up. As Nigel Houghton, Director of Marketplace and Ecosystem Development at ThreatQuotient, observes: “A bug bounty program for LockBit’s operations sounds to me like something they are doing to attract attention. Who is going to waste a bug selling it to these guys? On the other hand, bug bounty programs and contributions on how they might improve their software are cheap ways to get some development work and QA/Testing done. Also, there’s no way LockBitSupp is one person, this is a group and nobody is getting that $1 million “prize”, but the whole stunt will certainly make people talk about them and raise their profile.”
This also comes as LockBit is engaging in a general rebrand, calling itself “LockBit 3.0” and rolling out new “features” for its criminal RaaS clients such as the ability to accept privacy coin ZCash as a form of payment. This follows the restructuring of its biggest rival in the RaaS space, Conti, which opted to splinter off into smaller groups after the brand name became a little too well-known and of interest to law enforcement. The two groups appear to be taking opposite approaches, with Conti willing to downsize for the purpose of evasiveness while LockBit doubles down on being a ransomware brand name with media spectacles such as the bug bounty program.
RaaS industry continues to evolve
Ransomware has had its peaks and valleys as an attack method over the years, with some security analysts feeling it was on the way out as a primary approach for cyber criminals during a lull period in 2016. It came surging back along with the crypto boom that began in 2017, but does not appear to be slowing down with the current crypto crash.
Professional criminal gangs like LockBit now make far too much money to give up, and have entrenched themselves and ironed out the kinks in their operations. The early ransomware gangs simply “sprayed and prayed,” using botnets to email or text message indiscriminate attacks and often hitting individual device users who had little means to pay. The industry really took off when it became more selective about who it went after, spearphishing larger organizations with high revenue and/or cyber insurance that would cover the ransom demand. RaaS gangs like LockBit also greatly expanded the scope of who could participate; when less organized criminals manage to breach a network, they can call in the RaaS service who encrypts everything, filches sensitive files and deals with negotiation in return for a cut of the proceeds.
Offering things like a bug bounty program keeps the gangs in the news, at the top of mind for victims (who may be more readily convinced to pay up) and potential clients (who will think of the “big name” RaaS gangs first when they breach a network). John Bambenek, Principal Threat Hunter at Netenrich, believes that the bug bounty program and similar developments are 100% about this sort of media PR campaign and not a serious offer that the groups expect people to pursue: ” … I doubt they will get many takers. I know that if I find a vulnerability, I’m using it to put them in prison. If a criminal finds one, it’ll be to steal from them because there is no honor among ransomware operators.”
LockBit has been the most active of the RaaS gangs thus far in 2022, outpacing Conti even when that group was still operating. LockBit is also the group most likely to target the financial sector, and racked up 220 known victims (out of over 900 recorded attempts) in the first quarter of 2022. This is a significant increase in activity from 2021 for the group, and it opened 2022 with a bang by hitting France’s Ministry of Justice. The group was also previously focused on Windows systems, but in late 2021 debuted an update to its ransomware able to compromise Linux systems as well. Their leak site is also far more active on weekdays than on weekends, with a recent Trend Micro report finding that only 22% of their document dumps happen on Saturday and Sunday.