Notorious ransomware LockBit appears to have added a new variant, LockBit Green, to its dark web code repository, along with an update to malware that targets the widely used VMware ESXi hypervisor. Researchers say this indicates the growing importance of cloud services to cybercriminals.
LockBit, also known as LockBit 3.0 as it is the third evolution of the group, now offers three variants of its malware for sale according to researchers vx-underground, who say they were contacted by the gang last week. The two other variants are also colour themed – red and black.
What is LockBit Green?
LockBit Green is “not anything I’ve heard of before,” says Allan Liska of security company Recorded Future. “It looks like this is something new, like a new variant of their existing ransomware.
The screenshots posted on Twitter show “what LockBit looks like for their affiliates, for the people who subscribe to the rights for their service,” Liska adds.
Paul Lewis, CISO at security company Nominet, says it makes sense for gangs to look to breach systems like ESXi which can act as an entry point to corporate networks. “Virtual machines are generally used for elastic, high capacity systems and services,” he says. “There are opportunities to potentially use this kind of technology to proliferate quicker because it’s all software, rather than boxes in data centres.”
Liska believes it reflects a greater focus on cloud by ransomware gangs. “More organisations are storing things in the cloud, so ransomware groups are more and more interested in the cloud,” he adds. “The fact that they’re still investing or the fact that they’re investing time and resources in building cloud tech shows, that’s where ransomware groups are thinking about their future.”
What we’re seeing is a natural evolution of software created by ransomware gangs Lewis adds. “This is just another way that criminals can exploit a relatively new technology like the cloud,” he says.