REvil Ransomware Code Used by LV Ransomware
The LV ransomware, a strain that showed up this spring, was based on pirated REvil ransomware code, according to researchers. The LV ransomware used a hex editor to repurpose a REvil binary almost wholesale, for their own purposes. This indicates a reverse-engineering of the malicious code. The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil. The version in the LV binary is 2.02, its compile timestamp is 2020-06-15 16:24:05, and its configuration is stored in a section named '.7tdlvx'. These findings align with REvil 2.02 samples first identified in June 17, 2020. The code modification suggests that the hacking group does not have access to REvil's source code. The group likely used a hex editor to remove identifying characteristics from the binary to conceal that LV is a repurposed version of REvil.
REvil is the gang behind a recent attack on the Sol Oriens nuclear contractor, the JBS Foods attack, and the attack on Apple just hours before its new product launch. So, it's no surprise that other groups would want the code. In order to repurpose the REvil binary, Gold Northfield needed to provide a configuration replacement that has the same identical configuration as the REvil code, in the form of a JSON-formatted string containing key elements. The group also needed to RC4-encrypt the fresh configuration with a 32-byte key. To bypass REvil's anti-tamper control that ensures the integrity of the configuration, Gold Northfield also had to generate a CRC32 hash of the updated encrypted configuration and then replace the hard-coded, pre-calculated CRC32 hash stored in the binary with the updated configuration’s CRC32 hash. These changes are necessary because the REvil code calculates the configuration's CRC32 hash value at runtime and terminates if the calculated and hard-coded hashes do not match. Finally, Gold Northfield needed to add the RC4 key, the CRC32 hash, the length of the encrypted configuration and the encrypted configuration itself to the REvil binary. When done correctly, the binary will successfully execute using LV's updated configuration and the files on the victim's computer will be encrypted with session keys that are protected by LV's public key, and victims will be directed to LV's ransom payment site.
LV appears to be using REvil's tactics, according to the analysis, including stealing information during attacks and posting the names of its victims on leak sites. There are some key differences between the two groups, according to researchers. REvil configuration specifies 1,200 command-and-control domains that the malware can communicate with. LV's configuration removes all of these from the dmn file, which has tworesults. First, it ensures that LV ransomware victims' data is not sent to REvil C2 servers. Second, removing these domains rather than replacing them with C2 domains operated by Gold Northfield suggests that the group may not be capable of maintaining C2 infrastructure or developing the backend automation required to process and track victims data.
The ransom note is identical to the one used by REvil except for the domain for the ransomware payment domain. There are signs that LV's operators are not as advanced as REvil, when submitting a key specified in the note, researchers had website errors. The HTTP errors may be caused by anti-analysis controls implemented by Gold Northfield to inspect characteristics of the submitted key for suspicious or undesirable activity. It may also be a sign that the group is struggling to maintain the infrastructure.
It may be possible that REvil sold the source code to the other ransomware groups or offered it up as part of a partnership. The Gold Northfield group sped up their exposure within the ransomware ecosystem by repurposing the binary. Without spending resources on ransomware development, groups can operate more efficiently which results in more profit. Researchers haven't seen LV ransomware advertisements on underground forums but the use of the partner ID function could indicate that a RaaS offering is being developed. The lack of a reliable and organized infrastructure needed to operate a successful RaaS offering shows that the Gold Northfield has to increase it's capabilities and resources to compete with other ransomware operations.