[MART] - Daily Diary #597 - LockBit Paid its First Bug Bounty

ctas-mat at appgate.com ctas-mat at appgate.com
Mon Sep 19 22:20:04 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

09/19/2022 - Diary entry #597:

Covered in multiple of our Daily Diaries, most recently in our Daily Diary #527, Lockbit is one of the most dangerous ransomware groups active nowadays. Lockbit operates in the Ransomware-as-a-Service business model, selling its platform and malware to third-party attackers, that target multiple organizations in different countries and sectors. Lockbit wall-of-shame is one of the many monitored by our team, having new targets uploaded every week.

In June this year, LockBit’s bug bounty program was announced along with its new ransomware version (3.0). LockBit’s bug bounty program, covered in our Daily Diary #541, offers rewards ranging from $1,000 to $1 million (USD) for reporting bugs in its website (cross-site scripting or XSS), locker (encryption), vulnerabilities in Tox messenger, and the Tor Network.

Late last week LockBit published on its wall-of-shame a blog post revealing that they paid their first bug bounty. An individual contacted LockBit claiming that a vulnerability in LockBit’s locker/cryptor allowed any .vmdk or .vhdx virtual hard disk files to be decrypted for free. After showing proof, LockBit’s “spokesperson“ paid the amount of $50.000 (USD) and thanked a supposed FBI agent/security company insider for the contribution.

The post also contains screenshots of the conversation, where the individual reveals that Lockbit inherited a from BlackMatter encryption algorithm, allowing the key to be recovered on big files with lots of zeroes. This happens a lot on database dumps, disk backups, and virtual machine disk files – meaning that before the disclosure, a reverse engineering of the malware and encrypted files could allow the recovery of lots of valuable files without paying the ransom.

Unfortunately, this incident may encourage more individuals to contribute to the Lockbit bug bounty program. On the other hand, with the disclosure, it is possible to recover (some) files from environments previously infected with Lockbit from companies that decided to not pay the ransom. Lockbit, like most ransomware families, inherits code from other malware – so reverse-engineering and finding vulnerabilities in this kind of threat can help hundreds of other victims to recover their files.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



MART

Malware Analysis and Research Team
Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220919/47a351e2/attachment.htm>

More information about the MART mailing list