A recent report revealed that the notorious LV ransomware group, which has been serving as a (RaaS) business and operating since late 2020, is based on REvil. The researchers analyzed a malware sample from its associated group Sodinokibi.
Researchers at Trend Micro claim that the LV ransomware gang uses the modified version of the REvil binary script instead of using the source code of Revil. However, they believe that creating a logical connection between the two threat groups is not possible at the moment because both still need to reveal their relationship’s precise nature.
LV and REvil ransomware gangs
Sources claim that the organization behind REvil either sold the source code, had the source code stolen from them, or collaborated with the LV ransomware gang to share the source code. On the other hand, researchers at Trend Micro believe that the Lv ransomware gang changed the REvil v2.03 beta version of the source code to use REvil binaries for third-party ransomware operations.
Reports suggest that the ransomware gang has been making comebacks since the second quarter of 2022 and has successfully breached several organizations. Moreover, according to a warning sent out by the German Federal Office for Information Security in August 2022, the ransomware’s developers were using threats to blackmail Semikron, a manufacturer of semiconductors, by leaking supposedly stolen data.
The LV ransomware’s primary targets
According to a post on a black market website in December 2021, a malicious actor claimed to be behind the LV ransomware operations and was recruiting network access brokers. The threat actor claimed interest in gaining network access to Canadian, European, and American organizations to use the ransomware to extort money from them. Since the second quarter of 2022, more LV ransomware breaches have been reported, which is consistent with the threat actor’s attempt to broaden the scope of its affiliate program.
According to data from the Trend Micro Smart Protection Network and other internal sources, Europe had the most breach alarms. In contrast, the United States and Saudi Arabia had the most reported instances, including the ransomware payload. The attacks harmed many different industry sectors, with manufacturing and technology suffering the most, highlighting the group’s opportunistic strategy.
As per the report, the attackers utilized Mimikatz to dump credentials during the lateral movement and credential access phases and NetScan and Advanced Port Scanner for discovery. A day before the ransomware invasion on September 8, 2022, numerous successful login attempts were made using compromised user identities.
A malicious group policy with a scheduled task was also created on September 9, 2022, to execute ransomware from the shared folder hosted on the Domain Controller server after the attacker had gained remote desktop protocol (RDP) access to the domain controller using the compromised account of the domain administrator.