LockBit Ransomware Group Releases “LockBit 3.0”, Launches Multiple Dark Web Mirror Sites, Introduces First Ransomware Exploit Bounty Program

The LockBit ransomware group recently released "LockBit 3.0", which improves the UI design of ransomware websites. It has launched the organization's official blog site on the Dark Web, a documentation site to showcase evidence of the intrusion, a chat site to communicate with victims, and dozens of official mirrors for these sites; introduced the first ransomware vulnerability bounty program in the ransomware community in exchange for its own exploits; and enhanced its new ransom strategy with the addition of a Zcash cryptocurrency payment option.

LockBit 3.0 Officially Released

The LockBit ransomware group launched in 2019 and has since grown to become the most prolific ransomware group, accounting for 40 percent of all known ransomware attacks in May 2022.

The cybercrime group has released an improved ransomware-as-a-service (RaaS) operation called LockBit 3.0 after beta testing for the past two months, and the new version has been used in attacks.

While it is unclear what technical changes have been made to the encryption tool, the ransom note is no longer named "Restore-My-Files.txt", but has been changed to the naming format [id].README.txt, as shown below.

The new LockBit website consists of three sites

The LockBit ransomware group has launched three websites on the Dark Web: the group's official blog site, a documentation site to showcase evidence of the intrusion, and a chat site to communicate with victims, and has set up dozens of official mirrors for these sites with a luxurious and flashy website interface.

The blog site and its mirror (domain name starts with lockbitapt).

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

File sites and their mirrors (domain name starts with lockbit7z) that show evidence of the intrusion.

http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion
http://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion
http://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion
http://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion
http://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion
http://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion
http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion
http://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion
http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion
http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion
http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion
http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion
http://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion
http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion
http://lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion
http://lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion
http://lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion
http://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion
http://lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion
http://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion
http://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion
http://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion
http://lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion
http://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion

Chat sites and their mirrors for communicating with victims (domain name starts with lockbitsup).

http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion

The first vulnerability bounty program launched by a cybercrime group

This time, LockBit hackers made headlines by launching the first-ever cybercriminal gang-initiated exploit bounty program.

With the release of LockBit 3.0, the operation introduces the first vulnerability bounty program offered by a ransomware gang, asking security researchers to submit vulnerability reports in exchange for a reward of $1,000 to $1 million.

"We invite all security researchers, ethical and unethical hackers on the planet to participate in our vulnerability bounty program. The rewards range from $1,000 to $1,000,000." The LockBit 3.0 Vulnerability Bounty page reads.

However, this bug bounty program is a bit different from what legitimate companies typically use, as it is illegal in many countries to help criminal enterprises.

In addition, LockBit is offering bounties not only for its own exploit rewards, but also for "brilliant ideas" to improve ransomware operations and manhunt affiliated program owners.

The following are the various bug bounty categories offered by LockBit 3.0 operations.

Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies.
Locker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor.
Brilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas will be paid. What is so interesting about our competitors that we don't have?
Doxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss. Whether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a TOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it.
TOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutorand other interesting vulnerabilities.
Tor network: Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains.

ZCash payment method support

When opening the Tor website of the LockBit 3.0 data breach site, visitors will see an animated logo surrounded by various jumping cryptocurrency icons.

The cryptocurrency icons shown in this animation include the privacy coin known as Zcash, in addition to Monroe and Bitcoin, which have been accepted as ransom payments in the past.

The addition of Zcash as a payment option is not surprising for ransomware organizations.

Seizures by cryptocurrency tracking companies and law enforcement have repeatedly shown that Bitcoin is traceable, and while Monroe is a privacy coin, the vast majority of U.S. cryptocurrency exchanges do not sell it.

Zcash is also a privacy coin and therefore more difficult to track. Nonetheless, it is currently sold on Coinbase, the most popular U.S. cryptocurrency exchange, making it easier for victims to purchase to pay the ransom.

However, if the ransomware group switches to accepting payments in this token, we could see it removed from U.S. exchanges due to pressure from the U.S. government.

LockBit 3.0 Analysis

The LockBit organization first surfaced in 2019 and re-emerged in June 2021 with the new LockBit 2.0 ransomware. The organization is considered one of the most active operations in the threat space, leading the way in terms of the number of victims of notorious organizations such as Black Basta, Hive and Conti.

The LockBit team is expanding its reach, introducing innovative solutions and adopting tried-and-true formulas from the ransomware market. Security analysts warn that it is difficult to predict how many of the modifications implemented in LockBit 3.0 operations remain unknown. According to recently disclosed research data, LockBit Black has code similarities to the BlackMatter ransomware, which was used in many high-profile attacks last summer. Researchers speculate that this may indicate that former BlackMatter developers may have been involved in the writing of the latest LockBit virus.