[MART] - Daily Diary #290 - Meet LV Ransomware, Sodinokibi Copycat

Wed Jun 23 22:02:52 UTC 2021

Hello,
I hope everyone is doing well!

Below is the entry for today.

06/23/2021 - Diary entry #290:

Over the last year, we've covered several incidents caused by the infamous Sodinokibi Ransomware. Operating in the business-as-a-service model, it managed to infect big companies, and profit millions of dollars from companies that decide to pay the ransom. This has attracted a lot of attention, and now we are seeing the action of variants. First discovered this year, LV Ransomware works in the ransomware-as-a-service business, and now we are seeing the copycat activity.

Samples collected by Secureworks Counter Threat Unit revealed that LV Ransomware binary seems to be a modified copy of Sodinokibi Ransomware version 2.03. A comparison of both binaries shows minor changes, such as the configuration file (containing the C2 server addresses) and strings, but all of them maintaining the same number of bytes. That means the binary was probably altered using a hex editor, which can be a hard work depending on the changes, but very effective way to create your own version of a binary you don't have the source code for. It's not clear how the LV Ransomware replicated the C2 servers, as this would require access to a working C2 operator or advanced reverse-engineering to replicate all the endpoint functions.

LV Ransomware also owns a wall-of-shame, named LV Blog, where they publish stolen data from targets that refused to pay the ransom. Our team had access to LV Blog. Curiously, LV owns two different wall-of-shame blogs with the same template but different target list, both hosted in the Tor network. On the first website the last post is from April this year, where they published data on the French company REOREV, and the second website last post is from May this year, with data from SMPDynamics. It's not unusual for malware to share code or tools, but this incident shows a more aggressive approach. If this becomes a trend, we expect malware to implement more obfuscators and anti-tamper controls.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210623/f3884a9f/attachment.html>