New LV ransomware which has been making rounds since late 2020 appears to be nothing more than a repurposed version of the Revil ransomware, distributed by a separate gang, according to researchers at Secureworks Counter Threat Unit.
An analysis of the LV ransomware binary revealed that LV is a tweaked version of the REvil 2.03 beta binary. Researchers said the LV gang appears to have used a hex editor to modify this binary and its configuration file and remove certain characteristics from it. The threat actors also replaced the REvil configuration with their own.
“The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil. The version value in the LV binary is 2.02, its compile timestamp is 2020-06-15 16:24:05, and its configuration is stored in a section named ‘.7tdlvx’. These characteristics align with REvil 2.02 samples first identified in the wild on June 17, 2020,” the researchers said.
While it seems that the gang, which Secureworks calls Gold Northfield, does not have access to REvil’s source code, there are several possible scenarios of how the threat actor could have obtained the binary file. One possibility is that the REvil’s operators, tracked by Secureworks as Gold Southfield, could have sold the source code. Other theories suggest that the source code was stolen, or that Gold Southfield shared the code with another threat group as part of a partnership.
The researchers said they did not find any LV ransomware advertisements on underground forums, however, variations in partner and campaign IDs across LV configurations and the practice of naming and shaming victims could indicate that Gold Northfield is launching their own ransomware-as-a-service (RaaS).
As many other ransomware gangs, Gold Northfield has its own payment and leak sites. In fact, the researchers discovered two LV ransomware leak sites that have an identical structure but appear to be operated independently. The sites listed different victims except for one entry listed on both sites. Why Gold Northfield would operate two leak sites, is not clear.
The gang also shares screenshots of stolen files on the leak sites, and threatens to make the stolen information public unless the victim makes contact within 72 hours, but as of yet the treat actors have not published any information stolen form their victims.
“It is too early in GOLD NORTHFIELD's evolution to evaluate the threat it poses. The ability to repurpose the REvil binary suggests that the threat actors have technical capabilities. Additionally, the complexity required for this repurposing and the configuration variations across LV samples suggest that GOLD NORTHFIELD may have automated the process. Although a RaaS for the LV ransomware could provide direct competition for GOLD SOUTHFIELD's RaaS offering, the lack of a reliable and organized infrastructure needed to operate a successful RaaS offering suggests that GOLD NORTHFIELD has to expand its capabilities and resources to compete with other ransomware operations,” the researchers said.