from the cash-for-ransom-bugs dept.
Lockbit ransomware gang creates first malicious bug bounty program:
Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program.
According to Lockbit's leak site, as part of the bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers "to provide Personally Identifiable Information (PII) on high-profile individuals and web exploits in exchange for remuneration ranging from $1,000 to $1 million."
[...] "A key focus of the bug bounty program are defensive measures: preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as funding bugs within the messaging software used by the group for internal communications and the Tor network itself," Narang said.
The writing on the wall is that Lockbit's adversarial approach is about to get much more sophisticated. "Anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target, may need to reassess," said Mike Parkin, senior technical engineer at Vulcan Cyber.
[...] "This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it. Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code," said Casey Bisson, head of product and developer enablement at BluBracket.
Lockbit 3.0 Ransomware bughunting for $$$ So the makers of ransomware are now offering bug-bounties to find bugs in their software and info to doxx them. Rewards ranging from $1k to millions. Question is can you trust them to pay out if you find something? And if you find something wouldn't it be more appropriate to send them to jail with it? Or if you are a crook wouldn't you use what you found against them? Isn't it also a security risk for them to share code for their malware ransomware with outsiders?
I guess the question is: if you found something would you (1) give it to them for the bounty (2) use it against them to steal their shit (3) turn it over to law enforcement?