Go to listing page

After LockBit Red and LockBit Black, Operators Launch LockBit Green

After LockBit Red and LockBit Black, Operators Launch LockBit Green
Ransomware operators often lookout for a way to take their ransomware to the next level. Recently, LockBit operators developed a new variant of their malware available on their portal. Dubbed LockBit Green, this new variant was designed to include cloud-based services among its targets.

What’s new?

According to researchers, the new variant has a significant overlap (89%) with Conti ransomware v3, whose source code was leaked a few months ago.
  • For the current version, LockBit operators have modified their ESXI ransomware variant. 
  • LockBit Green’s ransom note is identical to the one used by the LockBit Black variant; only the ransom note filename has been changed to !!!-Restore-My-Files-!!!.txt.
  • It uses random extensions rather than the standard .lockbit extension.

Furthermore, PRODAFT reported that at least five victims have been hit with the new LockBit Green.

Earlier variants

Since its launch, the LockBit operation has gone through numerous iterations with its encryptor, starting with a custom one LockBit Red and moving to LockBit Black (aka LockBit 3.0). 
  • LockBit Black is derived from BlackMatter’s source code. Since its origin in June 2022.
  • The other notable variants include LockBit Linux-ESXi Locker v1.0, LockBit 2.0, and LockBit 3.0 builder.
  • All these variants have caused significant damage to many industries across the globe.

LockBit has remained one of the most active global threats last year, with more victims than any other ransomware group, such as Conti, Hive, and BlackCat (as in October last year).


LockBit has a reputation as a RaaS group and its operators keep releasing new variants with additional capabilities. Experts estimate ex-Conti members will prefer LockBit Green as they probably feel comfortable using Conti-based ransomware and LockBit Green could have a big impact on victim organizations.
Cyware Publisher