{
	"id": "47635823-1522-4127-897e-53f6a8b20e06",
	"created_at": "2026-04-06T00:16:12.021783Z",
	"updated_at": "2026-04-10T03:20:26.846039Z",
	"deleted_at": null,
	"sha1_hash": "95bc967cd260008768efcb43f413d0ce9c13ca7e",
	"title": "LockBit ransomware goes 'Green,' uses new Conti-based encryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2202943,
	"plain_text": "LockBit ransomware goes 'Green,' uses new Conti-based encryptor\r\nBy Lawrence Abrams\r\nPublished: 2023-02-01 · Archived: 2026-04-05 19:00:42 UTC\r\nThe LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one\r\nbased on the leaked source code for the Conti ransomware.\r\nSince its launch, the LockBit operation has gone through numerous iterations of its encryptor, starting with a custom one and\r\nmoving to LockBit 3.0 (aka LockBit Black), which is derived from the BlackMatter gang's source code.\r\nThis week, cybersecurity collective VX-Underground first reported that the ransomware gang is now using a new encryptor\r\nnamed 'LockBit Green,' based on the leaked source code of the now-disbanded Conti gang.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Conti ransomware gang shut down after a series of embarrassing data breaches caused by the leaking of 170,000\r\ninternal messages and the source code for their encryptor.\r\nSoon after the source code was leaked, other hacking groups began utilizing it to create their own encryptors, with\r\nsome ironically used against Russian companies.\r\nA look at LockBit Green\r\nSince the news of LockBit Green became public, researchers have found samples of the new encryptor circulating on\r\nVirusTotal and other malware-sharing sites.\r\nA malware analyst known as CyberGeeksTech reverse-engineered a sample of LockBit Green and told BleepingComputer\r\nthat it was definitely based on the Conti encryptor they previously analyzed.\r\n\"I've analyzed the sample and it's 100% based on the Conti source code,\" the researcher told BleepingComputer.\r\n\"The decryption algorithm is just an example of a similarity. It's weird that they've chosen to build a payload based on Conti,\r\nthey have their own encryptor for some time.\"\r\nCybersecurity firm PRODAFT also shared four MD5 hashes of LockBit Green samples that they found, including a Yara\r\nrule that can detect the new variant.\r\nPRODAFT told BleepingComputer that they know of at least five victims that have been attacked using the new LockBit\r\nGreen variant.\r\nBleepingComputer tested one of the samples shared by PRODAFT, which utilizes the same command-line arguments as the\r\nprevious Conti encryptors.\r\nThe ransom notes have been modified to use the LockBit 3.0 ransom note rather than Conti's format, as shown below.\r\nLockBit Green ransom note\r\nSource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nPage 3 of 5\n\nHowever, one change we noticed is that LockBit Green uses what appears to be a random extension rather than the\r\nstandard .lockbit extension.\r\nDifferent encrypted file extension used in LockBit Green\r\nSource: BleepingComputer\r\nWhile it's unclear why the LockBit operation is utilizing a new Conti-based encryptor when their previous one works fine,\r\nPRODAFT may have the answer.\r\n\"We especially observed that ex-Conti members preferred LockBit Green after the announcement. They probably feel\r\ncomfortable using conti-based ransomware,\" PRODAFT told BleepingComputer.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/"
	],
	"report_names": [
		"lockbit-ransomware-goes-green-uses-new-conti-based-encryptor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95bc967cd260008768efcb43f413d0ce9c13ca7e.pdf",
		"text": "https://archive.orkl.eu/95bc967cd260008768efcb43f413d0ce9c13ca7e.txt",
		"img": "https://archive.orkl.eu/95bc967cd260008768efcb43f413d0ce9c13ca7e.jpg"
	}
}