Ransomware as a Service (RaaS?)

looorg writes:

Lockbit ransomware gang creates first malicious bug bounty program:

Today, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program.

According to Lockbit's leak site, as part of the bug bounty program, the cyber gang will pay all security researchers, ethical and unethical hackers "to provide Personally Identifiable Information (PII) on high-profile individuals and web exploits in exchange for remuneration ranging from $1,000 to $1 million."

[...] "A key focus of the bug bounty program are defensive measures: preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as funding bugs within the messaging software used by the group for internal communications and the Tor network itself," Narang said.

The writing on the wall is that Lockbit's adversarial approach is about to get much more sophisticated. "Anyone that still doubts cybercriminal gangs have reached a level of maturity that rivals the organizations they target, may need to reassess," said Mike Parkin, senior technical engineer at Vulcan Cyber.

[...] "This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it. Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code," said Casey Bisson, head of product and developer enablement at BluBracket.

Read more of this story at SoylentNews.