LockBit Ransomware Gang Introduces the First Ransomware Bug Bounty Program in the Dark Web

Last weekend, the most prolific ransomware-as-a-service (RaaS) operation LockBit released a new version of its eponymous encryptor which is already being used by hackers. Along with LockBit 3.0 the cybercriminals announced the first bug bounty program offered by a RaaS gang.

LockBit added a new bug bounty page to its website and offered security researchers the rewards ranging between $1,000 and $1 million for their vulnerability reports. The amount of the reward depends on the severity of a vulnerability. In particular, the group is willing to pay for the information about flaws in their website (XSS, SQL injection and web shell attacks), locker, TOX messenger, and Tor network.

The highest reward, which is $1 million, is announced for doxing the RaaS operation leader. In March, the LockBit boss, who calls itself LockBitSupp, claimed that he was willing to pay $1 million to an FBI agent who could “de-announce” them.

Semiconductor manufacturer AMD had to start an investigation because of the RansomHouse extortion gang recent post. According to this post, RansomHouse stole hundreds of gigabytes of files from the company’s internal network. After a week of teasing on Telegram, on June 27, 2022, the hackers finally added AMD to their victims list on their data leak website.

RansomHouse claimed that they managed to steal 450GB of data from the manufacturer’s network, including research and financial info. But the gang didn’t provide any proof except for one or two files which are believed to be stolen from the company’s Windows domain. These files contain a list of over 70,000 devices allegedly connected to AMD’s internal network and a list of the manufacturer’s corporate passwords which are surprisingly weak.

RansomHouse is known for not encrypting victims’ data before the theft. The gang does not bother to negotiate with its victims and demand a ransom but attempts to sell the stolen files to third parties for a decent price instead.

One of Iran’s major steel companies fell a victim to a cyberattack which forced it to unwillingly stop production. Previously unknown threat actor who goes by moniker “Gonjeshke Darande” took responsibility for the incident and claimed that they attacked a state-owned Khouzestan Steel Co. and two other major steel manufacturers in Iran – Mobarakeh Steel Co. and Hormozgan Steel Co. – because of the “aggression of the Islamic Republic.”

The hackers published a video allegedly from the factory that showed a damaged steel billet production equipment which caused a huge fire. Based on the timestamps, the video was filmed on June 27, 2022.

According to a Twitter post by @GonjeshkeDarand, three target companies “are subject to international sanctions”, but nevertheless, they continue their operations. The hackers claimed, that the cyberattacks were carried out carefully “to protect innocent individuals”.

Evilnum APT group is back with new TTPs, said the researches from Zscaler’s ThreatLabz. These new attacks coincide with Russia’s invasion of Ukraine. The focus shift from financial services to European intergovernmental organization involved in international migration is also notable and coincide with a current political situation.

The attack chain begins with the malicious document delivered via spear-phishing email. In the most recent attacks, Evilnum APT has started using MS Office Word documents. In particular, they deliver the malicious payload to the victims’ computers using document template injection. At the final stage of attack a backdoor is dropped.

Researchers from Black Lotus Labs of Lumen Technologies uncovered a malicious campaign which remained undetected for two years. In this campaign, allegedly APT group used a ZuoRAT remote access trojan (RAT) to target office/home office (SOHO) routers via known vulnerabilities. The hackers’ goal was to compromise remote workers.

The campaign started in October 2020 and affected organizations in North America and Europe. Using ZuoRAT, the attackers enumerated the adjacent home network, intercept data, and hijack DNS/HTTP internet traffic.

Thanks to the hijacking feature of ZuoRAT, the threat actor was able to move from the compromised home device to computers in the network. From there, they deployed two additional remote access trojans. One of them could work not only on Windows machines, but on Linux and MacOS as well. Using this additional malware, the attackers uploaded and downloaded files, run commands and maintained persistence on the compromised machine.