LockBit Green Ransomware: The Complete Guide      

LockBit Green is a new variant of the LockBit ransomware that was first reported by cybersecurity collective VX-Underground. It is based on the leaked source code of Conti ransomware and is designed to target cloud-based services.

LockBit Green is the third version of the LockBit ransomware, with previous variants being tracked as LockBit Red and LockBit Black. The LockBit RaaS gang released LockBit Green, which is available to their affiliates using the builder feature on the LockBit portal. The gang has modified their VMware ESXI ransomware variant, which is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual machines.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is LockBit Green?

LockBit Green is a type of malware, known as ransomware, that encrypts victims’ data and then demands a ransom, usually paid in cryptocurrency, in exchange for the decryptor.
LockBit Green uses a new Conti-based encryptor. The ransomware encrypts the victim’s data and appends a random extension to the filenames of all encrypted files. The encryption process is automatic and targets devices across Windows domains.

The AES key is generated using BCryptGenRandom, and for faster encryption, it only encrypts the first 4KB of a file and appends it to random extensions. The ransomware is usually executed via the command line as it accepts parameters of file paths or directories if desired to only encrypt specific paths.

Everything we know about LockBit Green Ransomware

Confirmed Name

• LockBit Green virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• Random extension

Ransom Demanding Message

• !!!-Restore-My-Files-!!!.txt

Detection Names

• Avast Win32:Conti-B [Ransom]

• AVG Win32:Conti-B [Ransom]

• Emsisoft Gen:Variant.Ser.Zusy.4033 (B)

• Malwarebytes Generic.Ransom.FileCryptor.DDS

• Kaspersky UDS:DangerousObject.Multi.Generic

• Sophos Mal/Generic-S

• Microsoft Ransom:Win32/Conti.AD!MTB

Distribution methods

• Phishing emails
• Compromised Servers.
• Brute Forcing VPN Credentials
• Exploiting Vulnerabilities.
• Social Engineering
• Malicious Ads and Websites
• Exploiting Remote Desktop Protocol (RDP)
• Supply Chain Attacks

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• Double extortion

Is There a Free Decryptor Available?

No. There is no known public decryptor for LockBit Green ransomware available at this time.

What are LockBit Green ransomware’s IOCs?

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

LockBit Green ransomware’s Indicators of Compromise (IOCs) include:

• Encrypted files with a random extension added to their filenames
• A ransom note or message displayed on the victim’s screen or in a text file
• Unusual network traffic or activity, such as large amounts of data being transferred to unknown locations
• Suspicious processes or services running on the victim’s system
• Changes to system settings or configurations, such as disabling security software or modifying registry keys

If any of these signs are detected, it is important to isolate the affected system from the network and seek assistance from a qualified security professional to investigate and remediate the attack. It is also recommended to regularly back up important data and implement security best practices to prevent ransomware attacks.

LockBit Green ransomware file hashes

Ransomware hashes files are unique identifiers that represent a specific file or set of files that have been encrypted by ransomware. These hashes can be used to identify and track ransomware attacks and to develop signatures for antivirus software to detect and block ransomware infections.

LockBit Green file hashes:

• 102679330f1e2cbf41885935ceeb2ab6596dae82925deec1aff3d90277ef6c8c
• 32eb4b7a4d612fac62e93003811e88fbc01b64281942c25f2af2a0c63cdbe7fa
• 5c5c5b25b51450a050f4b91cd2705c8242b0cfc1a0eaeb4149354dbb07979b83
• 7509761560866a2f7496eb113954ae221f31bc908ffcbacad52b61346880d9f3
• 924ec909e74a1d973d607e3ba1105a17e4337bd9a1c59ed5f9d3b4c25478fe11
• ac49a9ecd0932faea3659d34818a8ed4c48f40967c2f0988eeda7eb089ad93ca
• fc8668f6097560f79cea17cd60b868db581e51644b84f5ad71ba85c00f956225
• ffa0420c10f3d0ffd92db0091304f6ed60a267f747f4420191b5bfe7f4a513a9

What is in the LockBit Green ransom note

The ransom note for LockBit Green is identical to the one used by LockBit Black, and the ransom note filename has been changed to “!!!-Restore-My-Files-!!!.txt”.

LockBit Green ransom note states that the data has been stolen and encrypted and warns that if the ransom is not paid, the stolen data will be leaked or sold. The command-line flags for LockBit Green are identical to those of Conti v3, making it a derivative of the original source code.

It is important to note that paying the ransom does not guarantee that the attackers will provide the decryption key and may result in further attacks.

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does LockBit Green ransomware spread

LockBit Green gains access to cloud-based services through various means. Here are some methods that LockBit Green ransomware can use to target cloud-based services:

• Exploiting Vulnerabilities. Ransomware can exploit vulnerabilities in cloud infrastructure, such as misconfigurations or outdated software, to gain unauthorized access. This can include exploiting weak passwords, unpatched software, or insecure network configurations.
• Phishing and Social Engineering. Ransomware operators may use phishing emails or other social engineering techniques to trick users into clicking on malicious links or downloading infected attachments. These emails can be designed to appear legitimate and may contain convincing messages or impersonate trusted entities.

• Brute Forcing VPN Credentials. In some instances, LockBit Green may arrive via brute forcing insecure VPN credentials. This can occur when weak or easily guessable passwords are used for VPN access.
• Malicious Ads and Websites. Ransomware can also be distributed through malicious advertisements or compromised websites. Users may unknowingly visit a compromised website or click on a malicious ad, which can then download and execute the ransomware onto their system.
• Exploiting Remote Desktop Protocol (RDP). Ransomware operators may attempt to exploit weak or misconfigured Remote Desktop Protocol (RDP) connections to gain access to cloud-based services. Once inside the network, they can move laterally and infect other systems.
• Supply Chain Attacks. Ransomware can also be introduced into cloud-based services through supply chain attacks. This involves compromising trusted software vendors or service providers and using their access to distribute the ransomware to their customers.
• Compromised Servers. LockBit operators often gain access to networks through compromised servers. They may exploit vulnerabilities in server software or gain access through compromised credentials obtained from affiliates or other threat actors.

How does LockBit Green ransomware infect a computer or network?

LockBit Green ransomware works by encrypting the victim’s data using a new Conti-based encryptor.

Here is a breakdown of how the encryption process typically works:

Infection

LockBit Green gains access to a computer or network through various means, such as phishing emails, compromised servers, or exploiting vulnerabilities.

Encryption

Once inside the system, LockBit Green starts encrypting the victim’s files. It targets a wide range of file types, including documents, images, and videos. The ransomware uses a powerful encryption algorithm to scramble the data, making it inaccessible without the decryption key.

File Extension

LockBit Green appends a random extension to the filenames of all encrypted files. This extension is unique to each victim and serves as an identifier for the ransomware.

Ransom Note

After encrypting the files, LockBit Green leaves a ransom note behind. The specific contents of the ransom note may vary, but it typically informs the victim that their data has been encrypted and provides instructions on how to pay the ransom to obtain the decryption key.

Ransom Payment

The ransom note includes details on how to contact the ransomware operators and make the payment. It is important to note that paying the ransom does not guarantee that the files will be decrypted, and it may encourage further attacks.

Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

How to handle a LockBit Green ransomware attack

Important: The first step after identifying LockBit Green IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.

To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by disconnecting it from the internet and removing any connected device.

Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with LockBit Green actors (if you have them)
• A sample of an encrypted file

However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.

Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

What NOT to do to recover from a LockBit Green ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contacting your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they will care for everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the LockBit Green ransomware. Also, these services can patch your system, preventing new attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent LockBit Green ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

Prevent the LockBit Green ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. LockBit Green ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Install antivirus and anti-malware software.
• Employ reliable cybersecurity solutions.
• Utilize strong and secure passwords.
• Keep software and operating systems up to date.
• Implement firewalls for added protection.
• Create a data recovery plan.
• Regularly schedule backups to safeguard your data.
• Exercise caution with email attachments and downloads from unknown or suspicious sources.
• Verify the safety of ads before clicking on them.
• Access websites only from trusted sources.

By adhering to these practices, you can fortify your online security and protect yourself from potential threats.