November 30, 2023

Notorious ransomware LockBit appears to have added a new variant, LockBit Green, to its dark web code repository, along with an update to malware that targets the widely used VMware ESXi hypervisor. Researchers say this indicates the growing importance of cloud services to cybercriminals.

LockBit, also known as LockBit 3.0 as it is the third evolution of the group, Affiliates to the LockBit RaaS can obtain LockBit Green using the builder feature on the LockBit portal.  In total it offers three variants of its malware for sale according to researchers vx-underground, who say they were contacted by the gang last week. The two other variants are also colour themed – red and black.


The experts pointed out that only a small part of the source code has been modified by LockBit, including the ransom note which is identical to the one used by the LockBit Black variant.

Antonio Cocomazzi, a senior threat intelligence researcher from SentinelOne, reported that the new variant has a significant overlap with the Conti ransomware, whose source code was leaked months ago.

The availability of the source code of other malware allows operators to create their own version, improving it, and speeding up the development lifecycle.

The ransom note filename has been changed to “!!!-Restore-My-Files-!!!.txt”.


Attacks on the cloud implemented using LockBit ransomware appear to be mounting. Earlier this month GoTo, the parent of company of password manager LastPass, saw data in its cloud storage facility attacked using LockBit malware.

Leave a Reply

%d bloggers like this: