LockBit 3.0 introduces the first ransomware bug bounty program

LockBit 3.0 introduces the first ransomware bug bounty program
By Lawrence Abrams
June 27, 2022 11:09 AM 0
LockBit 3.0

The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.

The ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting for 40% of all known ransomware attacks in May 2022.


Over the weekend, the cybercrime gang released a revamped ransomware-as-a-service (RaaS) operation called LockBit 3.0 after beta testing for the past two months, with the new version already used in attacks.

While it is unclear what technical changes were made to the encryptor, the ransom notes are no longer named 'Restore-My-Files.txt' and instead have moved to the naming format, [id].README.txt, as shown below.

LockBit 3.0 ransom note
LockBit 3.0 ransom note
Source: BleepingComputer
LockBit 3.0 bug bounty program
With the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang, asking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million.


"We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million," reads the LockBit 3.0 bug bounty page.

LockBit 3.0 bug bounty program
LockBit 3.0 bug bounty program
Source: BleepingComputer
However, this bug bounty program is a bit different than those commonly used by legitimate companies, as helping the criminal enterprise would be illegal in many countries.

Furthermore, LockBit is not only offering bounties for rewards on vulnerabilities but is also paying bounties for "brilliant ideas" on improving the ransomware operation and for doxxing the affiliate program manager.

The following are the various bug bounty categories offered by the LockBit 3.0 operation:

Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies.
Locker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor.
Brilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas will be paid. What is so interesting about our competitors that we don't have?
Doxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss. Whether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a TOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it.
TOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutorand other interesting vulnerabilities.
Tor network: Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains.
The $1,000,000 reward for identifying the affiliate manager, known as LockBitSupp, was previously offered on the XSS hacking forum in April.