The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to an encryptor based on the leaked Conti ransomware source code.

Since its launch, Operation LockBit has seen many iterations of its cipher, starting with a custom cipher and moving to LockBit 3.0 (aka LockBit Black), which is derived from the source code of the BlackMatter gang.

This week, the cybersecurity collective VX-Underground reported for the first time that the ransomware gang is now using a new cipher named “LockBit Green”, based on leaked source code from the now disbanded Conti gang.

The Conti ransomware gang has shut down after a series of embarrassing data breaches caused by the 170,000 internal messages leaked and the source code for their encryptor.

Shortly after the source code was leaked, other hacking groups started using it to create their own encryptors, some ironically used against Russian companies.

A look at LockBit Green

Since news of LockBit Green became public, researchers have found samples of the new encryptor circulating on VirusTotal and other malware-sharing sites.

A malware analyst known as CyberGeeksTech reverse-engineered a sample of LockBit Green and told BleepingComputer that it was definitely based on the Conti Encryptor they previously analyzed.

“I analyzed the sample and it’s 100% based on Conti’s source code,” the researcher told BleepingComputer.

“The decryption algorithm is just one example of similarity. It’s weird that they chose to build a payload based on Conti, they’ve had their own encryptor for a while.”

The cybersecurity company PRODAFT has also shared four MD5 hashes of LockBit Green samples they found, including a Yara ruler that can detect the new variant.

PRODAFT told BleepingComputer that they know of at least five victims who were attacked using the new LockBit Green variant.

BleepingComputer tested one of the examples shared by PRODAFT, which uses the same command line arguments as previous Conti encryptors.

The ransom notes have been modified to use LockBit 3.0 ransom note rather than Conti’s format as shown below.

However, one change we noticed is that LockBit Green is using what appears to be a random extension rather than the standard .lockbit extension.

Although it is not known why the LockBit operation uses a new Conti-based cipher while the previous one works correctly, PRODAFT may have the answer.

“We especially observed that former Conti members preferred LockBit Green after the announcement. They probably feel comfortable using conti-based ransomware,” PRODAFT told BleepingComputer.