{
	"id": "03ac0f33-69eb-4a7d-94d2-95b53d58963d",
	"created_at": "2026-04-06T01:31:44.043626Z",
	"updated_at": "2026-04-10T03:21:54.826885Z",
	"deleted_at": null,
	"sha1_hash": "a0a0edeabdefe4afc8de5434da7b8a5d88ec08fd",
	"title": "LockBit 3.0 introduces the first ransomware bug bounty program",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3787591,
	"plain_text": "LockBit 3.0 introduces the first ransomware bug bounty program\r\nBy Lawrence Abrams\r\nPublished: 2022-06-27 · Archived: 2026-04-06 00:37:36 UTC\r\nThe LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and\r\nleaking new extortion tactics and Zcash cryptocurrency payment options.\r\nThe ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting\r\nfor 40% of all known ransomware attacks in May 2022.\r\nOver the weekend, the cybercrime gang released a revamped ransomware-as-a-service (RaaS) operation called LockBit 3.0\r\nafter beta testing for the past two months, with the new version already used in attacks.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile it is unclear what technical changes were made to the encryptor, the ransom notes are no longer named 'Restore-My-Files.txt' and instead have moved to the naming format, [id].README.txt, as shown below.\r\nLockBit 3.0 ransom note\r\nSource: BleepingComputer\r\nLockBit 3.0 bug bounty program\r\nWith the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang,\r\nasking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million.\r\n\"We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The\r\namount of remuneration varies from $1000 to $1 million,\" reads the LockBit 3.0 bug bounty page.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 3 of 7\n\nLockBit 3.0 bug bounty program\r\nSource: BleepingComputer\r\nHowever, this bug bounty program is a bit different than those commonly used by legitimate companies, as helping the\r\ncriminal enterprise would be illegal in many countries.\r\nFurthermore, LockBit is not only offering bounties for rewards on vulnerabilities but is also paying bounties for \"brilliant\r\nideas\" on improving the ransomware operation and for doxxing the affiliate program manager.\r\nThe following are the various bug bounty categories offered by the LockBit 3.0 operation:\r\nWeb Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid\r\ndepending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as\r\nwell as access to the history of correspondence with encrypted companies.\r\nLocker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of\r\ndecrypting files without getting a decryptor.\r\nBrilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas\r\nwill be paid. What is so interesting about our competitors that we don't have?\r\nDoxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss.\r\nWhether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a\r\nTOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it.\r\nTOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run\r\nmalware, determine the IP address of the interlocutorand other interesting vulnerabilities.\r\nTor network: Any vulnerabilities which help to get the IP address of the server where the site is installed\r\non the onion domain, as well as getting root access to our servers, followed by a database dump and onion\r\ndomains.\r\nThe $1,000,000 reward for identifying the affiliate manager, known as LockBitSupp, was previously offered on the XSS\r\nhacking forum in April.\r\nLockBitSupp offering a $1 million bounty to anyone who identifies them\r\nSource: BleepingComputer\r\nUpcoming ZCash payment option?\r\nWhen opening the Tor sites for the LockBit 3.0 negotiation and data leak sites, visitors are presented with an animated logo\r\nwith various cryptocurrency icons rotating around it.\r\nThe cryptocurrency icons shown in this animation are Monero and Bitcoin, which the operation accepted as ransom\r\npayments in the past, but also includes the privacy coin known as Zcash.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 4 of 7\n\nNew cryptocurrency animation on LockBit 3.0 sites\r\nSource: BleepingComputer\r\nThe addition of Zcash as a payment option is not surprising for a ransomware operation.\r\nCryptocurrency tracking companies and law enforcement seizures have repeatedly shown that Bitcoin can be traced, and\r\nwhile Monero is a privacy coin, it isn’t offered for sale by the vast majority of US crypto exchanges.\r\nZcash is also a privacy coin, making it harder to trace. Still, it is currently offered for sale at the most popular US crypto\r\nexchange, Coinbase, making it easier for victims to purchase for ransom payments.\r\nHowever, if ransomware operations switch to accepting payments in this coin, we will likely see it be removed from US\r\nexchanges due to pressure from the US government.\r\nLockBit to sell victim's stolen data?\r\nLeMagIT's Valery Marchive discovered that the LockBit 3.0 operation is utilizing a new extortion model, allowing threat\r\nactors to buy data stolen during attacks.\r\nOne of the JavaScript files used by the new LockBit 3.0 data leak site shows a new HTML modal dialog that allows people\r\nto purchase data leaked on the site.\r\nAs you can see below, the modals will offer the ability to buy the data and download it either through a Torrent or directly\r\non the site. The available options may be determined based on the size of the stolen data, with Torrents being used for large\r\ndata dumps and direct downloads for smaller amounts.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 5 of 7\n\nJavaScript source showing new data extortion method\r\nSource: BleepingComputer\r\nAs the LockBit 3.0 data leak site does not currently contain any victims, it is not clear how this new extortion tactic will\r\nwork or if it is even enabled.\r\nLockBit is one of the most active ransomware operations, with its public-facing operator actively engaging with other threat\r\nactors and the cybersecurity community.\r\nDue to its ongoing adoption of new tactics, technology, and payment methods, it is vital for security and network\r\nprofessionals to stay up to date on the evolution of the operation.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 6 of 7\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/"
	],
	"report_names": [
		"lockbit-30-introduces-the-first-ransomware-bug-bounty-program"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439104,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0a0edeabdefe4afc8de5434da7b8a5d88ec08fd.pdf",
		"text": "https://archive.orkl.eu/a0a0edeabdefe4afc8de5434da7b8a5d88ec08fd.txt",
		"img": "https://archive.orkl.eu/a0a0edeabdefe4afc8de5434da7b8a5d88ec08fd.jpg"
	}
}