Researchers have discovered that the LV ransomware that has been in use since late 2020 is actually a modified version of the REvil ransomware binary that is being distributed by a separate threat group.
An analysis of the LV ransomware binary by Secureworks Counter Threat Unit researchers shows that LV is a version of the REvil 2.03 beta binary that has been modified slightly. The LV operators have their own payment and leak sites and seem to have the capacity to set up a ransomware-as-a-service (RaaS) operation, but Secureworks researchers said they have not seen it advertised on underground forums at this point.
“CTU analysis revealed that the LV ransomware is not a distinct ransomware family; it is repurposed REvil ransomware. By modifying the binary of a prolific ransomware family, the GOLD NORTHFIELD threat actors significantly expedited their maturity within the ransomware ecosystem. Without expending resources on ransomware development, the group can operate more efficiently than its competitors while still offering a best-in-class ransomware offering, ultimately resulting in a more profitable business model,” Secureworks researchers said.
The actors using the LV ransomware are known as Gold Northfield and like other current ransomware groups, they maintain leak sites where they publish details about current victims and threaten to post private data that they have stolen if the victims don’t pay.
“GOLD NORTHFIELD operates multiple Tor-based ransom payment sites and at least two different name-and-shame leak sites that are both active and follow the same format but contain mostly unique victims. It is not yet understood why they would operate two distinct leak sites. In posts made to the leak sites, GOLD NORTHFIELD typically threatens to publicly release sensitive information if victims do not initiate contact within 72 hours. The threat actors include screenshots of the victim’s sensitive files to support their claims. However, it appears that none of the victims’ data has been released as of this publication. It is unclear if victims paid the ransom and the threat actors just keep the full list of victims on the leak site as evidence of their conquests,” Secureworks said in an analysis of the group’s activities.
“It is too early in GOLD NORTHFIELD’s evolution to evaluate the threat it poses."
It’s not at all unusual to see different cybercrime groups share, steal, or purchase tools from one another, but the ransomware landscape is somewhat of a different animal. Ransomware groups that have developed their own malware typically guard it quite closely, as the financial value of a quality ransomware tool is very high. There are other groups that operate RaaS businesses, renting out access to their ransomware tools to customers who perform the ransom operations and share some of the profits with the operators. But the LV-REvil connection doesn’t appear to fit into either one of those categories, and looks more like a theft or other unauthorized repurposing of the REvil code.
“The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil. The version value in the LV binary is 2.02, its compile timestamp is 2020-06-15 16:24:05, and its configuration is stored in a section named ‘.7tdlvx’. These characteristics align with REvil 2.02 samples first identified in the wild on June 17, 2020. The LV sample also contains a code segment that is unique to REvil 2.03. The only purpose of this code segment in REvil binary is to taunt prominent security researchers. LV replaces the insults with the space character,” the researchers said.
“It is too early in GOLD NORTHFIELD’s evolution to evaluate the threat it poses. The ability to repurpose the REvil binary suggests that the threat actors have technical capabilities. Additionally, the complexity required for this repurposing and the configuration variations across LV samples suggest that GOLD NORTHFIELD may have automated the process,” the Secureworks researchers said.