The LockBit gang group released a new version of their ransomware, named LockBit Green, which is designed to target cloud-based services.
The release of the new version was reported by the security firm Prodaft and by the research team vx-underground.
The researchers pointed out that LockBit Green is the third version of the popular ransomware, previous variants are tracked as LockBit Red and LockBit Black. The gang's RaaS’s affiliates can obtain LockBit Green using the builder feature on the LockBit portal.
vx-underground researchers noticed that the LockBit gang has modified their VMware ESXI ransomware variant. It is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual machines.
This improvement is not surprising because in recent months, we have observed an increase in ransomware attacks aimed at ESXi servers.
“Since virtualization is the foundation of any large-scale deployment of computing and storage resources, it is not surprising that ransomware actors have now expanded their targets to include virtualization servers: with a single attack it is possible to shut down entire data centers and affect virtualized storage that is shared among workloads, with devastating effects,” reported VMware.
The list of ransomware that can target ESXi includes Babuk, AvosLocker, BlackCat, Hive, Luna, REvil, HelloKitty, Black Basta, DarkSide/BlackMatter, Defray777/RansomEXX, GwisinLocker, Cheerscrypt, RedAlert, Conti, and of course LockBit.
The LockBit gang supports a VMware ESXi encryptor component since at leak October 2021. It has now modified their ESXI ransomware variant to continue using it as an entry point to corporate networks.
Is LockBit Green variant ransomware developed from scratch?
Absolutely no. SentinelOne senior threat intelligence researcher Antonio Cocomazzi analyzed a sample of the new version provided by vx-underground researchers and discovered that it has significant overlap (89% similarity) with the source code of the Conti Ransomware, specifically its v3 version.
The source code of the Conti Ransomware was leaked online in March 2022 by a Ukrainian researcher as a retaliation for the support of the gang for the Russian invasion of Ukraine.
According to Cocomazzi, the command-line flags for LockBit Green are identical to those used in the Conti v3 version.
“I conducted an analysis of the sample and found that it has significant overlap (89% similarity) with the #Conti Ransomware, specifically its v3 version, which the source code has been leaked several months ago. The command-line flags for LockBit Green are identical to those of Conti v3, making it a derivative of the original source code,” explained Cocomazzi.
Only a very small part of the source code has been modified to align with the LockBit brand, such as the component relayed to the generation of the ransom note. The ransom note for LockBit Green is identical to the one used by the LockBit Black version.The ransom note filename has been changed to "!!!-Restore-My-Files-!!!.txt".“The approach of reusing and adapting the source code of reputable competitors, such as the now-defunct Conti, helps to lower the cost and time of development allowing the #RaaS operators to maximize their speed of release to attract new affiliates,” concludes Cocomazzi.
The availability of the source code of other malware can allow threat actors to create their own versions, improving them by fixing bugs and optimizing the code.
Code reuse is a pillar of the development lifecycle and allows to rapidly create new versions focusing on specific features that can cause the threat to avoid detection.
The approach of reusing code from other ransomware is recurrent for the LockBit group, which aims at fortifying their brand by reusing the code of competitors with a high reputation in the cybercriminal underground.
Cocomazzi explained that on July 26, 2022, the group announced the new release of the LockBit 3.0 Ransomware, also known as LockBit Black.
Upon analyzing the LockBit Black version, he noticed a significant similarity with the BlackMatter Ransomware. BlackMatter was considered one of the most robust and efficient ransomware. Security firms linked its operation to the financially motivated group FIN7, which is of the most successful cybercriminal groups ever.
It later emerged that the LockBit group had "hired" the developer of the BlackMatter Ransomware, and as a result, most of the BlackMatter code had been reused to create the new LockBit Black.
“The reuse of BlackMatter code had important repercussions on the course of events of the LockBit group,” said Cocomazzi. “A few days after the announcement of LockBit 3.0, a new bug bounty program was also announced, in which the group was offering large amounts of cash to anyone who finds vulnerabilities in the Ransomware's encryption algorithms.”
The administrators of the group were confident of the quality of their software, until one day, they announced the first bug bounty awarded in the history of all RaaS. The announcement made the headlines in the criminal underground, a $50,000 bounty was awarded to an anonymous researcher for having reported a vulnerability in the LockBit 3.0 encryption algorithm that allowed recovering encrypted files without the decryption key.
“In fact, it had long been known by multiple researchers that the BlackMatter Ransomware had a serious vulnerability in the encryption algorithm,” continues Cocomazzi. “So the developer who reused the code to create LockBit 3.0 unintentionally included the vulnerability as well.”
This developer’s error was not tolerated by the administrators of the LockBit group, and in order to pay the researcher's bounty, the sum was withheld from the developer's salary.
The behavior of the LockBit administrators was obviously unacceptable to the developer, who decided to leak the source code of LockBit 3.0.
The release of the LockBit Green represents an attempt to avoid the diffusion of the LockBit 3.0 source code that could create rifts among the affiliates of the group, especially due to the "free" use of the software given its now online availability.
“In recent years, we have observed various internal data leakage of Ransomware groups such as Babuk, Conti, LockBit, and Yanluowang. Data leakage is an event that strongly damages a Ransomware operation and most of the time sanctions the disappearance of the group.” concludes Cocomazzi.
“The reasons for these leaks are of various nature, from geopolitical conflicts (e.g. Ukraine and Russia) to financial claims. This once again underlines how trust between the members of these criminal groups is a weak link in the entire Ransomware ecosystem.”
Back to the LockBit Green variant, Prodaft PTI team research shared Indicators of Compromise for the LockBit Green variant along with the Yara rule:
It is easy to predict that LockBit gang will continue its activity improving its ransomware to target the largest number of organizations as possible. The group seems to be focused on cloud environments due to the value of the information stored by the victims in these infrastructures.
More from Cybernews:
Subscribe to our newsletter