Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Wednesday July 06 2022, @01:49AM   Printer-friendly
from the cash-for-ransom-bugs dept.

Lockbit ransomware gang creates first malicious bug bounty program:

Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program.

According to Lockbit's leak site, as part of the bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers "to provide Personally Identifiable Information (PII) on high-profile individuals and web exploits in exchange for remuneration ranging from $1,000 to $1 million."

[...] "A key focus of the bug bounty program are defensive measures: preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as funding bugs within the messaging software used by the group for internal communications and the Tor network itself," Narang said.

The writing on the wall is that Lockbit's adversarial approach is about to get much more sophisticated. "Anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target, may need to reassess," said Mike Parkin, senior technical engineer at Vulcan Cyber.

[...] "This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it. Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code," said Casey Bisson, head of product and developer enablement at BluBracket.

Lockbit 3.0 Ransomware bughunting for $$$ So the makers of ransomware are now offering bug-bounties to find bugs in their software and info to doxx them. Rewards ranging from $1k to millions. Question is can you trust them to pay out if you find something? And if you find something wouldn't it be more appropriate to send them to jail with it? Or if you are a crook wouldn't you use what you found against them? Isn't it also a security risk for them to share code for their malware ransomware with outsiders?

I guess the question is: if you found something would you (1) give it to them for the bounty (2) use it against them to steal their shit (3) turn it over to law enforcement?


Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Interesting) by Runaway1956 on Wednesday July 06 2022, @02:32AM (3 children)

    by Runaway1956 (2926) Subscriber Badge on Wednesday July 06 2022, @02:32AM (#1258439) Journal

    would you (1) give it to them for the bounty (2) use it against them to steal their shit (3) turn it over to law enforcement?

    Why not do all three? Get their bounty, while stealing their data, then turn it over to law enforcement. There's nothing unethical in that, is there?

    • (Score: 5, Interesting) by Anonymous Coward on Wednesday July 06 2022, @02:45AM (2 children)

      by Anonymous Coward on Wednesday July 06 2022, @02:45AM (#1258442)

      "Why not do all three? Get their bounty, while stealing their data, then turn it over to law enforcement. There's nothing unethical in that, is there?"

      That sounds pretty much like a typical Republican response. Absolutely lacking any ethics. Take their money, steal their business and drop a dime on them just for kicks.

      • (Score: 3, Interesting) by Anonymous Coward on Wednesday July 06 2022, @02:47AM (1 child)

        by Anonymous Coward on Wednesday July 06 2022, @02:47AM (#1258443)

        Mod bombs falling in 3...2...

        • (Score: 1, Interesting) by Anonymous Coward on Wednesday July 06 2022, @10:36AM

          by Anonymous Coward on Wednesday July 06 2022, @10:36AM (#1258489)

          I have modded all three comments above up (the third for precisely predicting the future) for I believe neither comment is bad enough to deserve downvoting.

  • (Score: 3, Funny) by Opportunist on Wednesday July 06 2022, @05:08AM (1 child)

    by Opportunist (5545) on Wednesday July 06 2022, @05:08AM (#1258459)

    I mean, selling the security problem first to its maker in their bug bounty program, then turning around and selling it to these guys. Afterwards, I can still hand it to my boss to include it in our next AV signature update.

    Asking for a friend.

    • (Score: 2) by cmdrklarg on Thursday July 07 2022, @05:04PM

      by cmdrklarg (5048) Subscriber Badge on Thursday July 07 2022, @05:04PM (#1258717)

      Username checks out!

      --
      The world is full of kings and queens who blind your eyes and steal your dreams.
(1)