The LV ransomware operators likely used a hex editor to repurpose a REvil binary almost wholesale, for their own nefarious purposes.
They say imitation is the sincerest form of flattery: The LV ransomware, a strain that cropped up just this spring, turns out to be based on what is most likely pirated REvil ransomware code, according to researchers.
A malware analysis of LV from Secureworks Counter Threat Unit (CTU) found that its operators (which it calls Gold Northfield), replaced the configuration of a REvil v2.03 beta version to basically copy and repurpose the REvil binary for its own ransomware. This indicates a likely reverse-engineering job, researchers said.
“The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil,” researcher said in a Tuesday blog post. “The version value in the LV binary is 2.02, its compile timestamp is 2020-06-15 16:24:05, and its configuration is stored in a section named ‘.7tdlvx’. These characteristics align with REvil 2.02 samples first identified in the wild on June 17, 2020.”
It’s also possible that Gold Northfield simply stole the source code – but CTU researchers noted that some signs discount that theory. For instance, among the differences between the two is the fact that in LV’s code, REvil 2.03’s strings are replaced by spaces.
This can be seen in a snarky code snippet found in REvil 2.03 that’s meant to insult prominent security researchers, including Vitali Kremez, among others. In LV’s code, the insults are stripped out.
“This type of code modification suggests that Gold Northfield does not have access to REvil’s source code,” researchers wrote. “The threat actors likely used a hex editor to remove potentially identifying characteristics from the binary to conceal that LV is a repurposed version of REvil.”
Hijacking the REvil Binary
REvil, a.k.a. Sodinokibi, is the gang reportedly behind a high-profile recent attack on the Sol Oriens nuclear contractor, the $11 million JBS Foods attack, the $50 million squeeze placed on Apple just hours before its splashy new product launch, an attack on Quanta, which is contracted to assemble Apple products, and on and on.
So, perhaps it’s no surprise that other cybercrime syndicates want to be just like them, code and all.
To that end, to repurpose the REvil binary, Gold Northfield needed to provide a configuration replacement that has the same identical configuration as the REvil code, in the form of a JSON-formatted string containing key elements, according to CTU. Then, the group needed to to RC4-encrypt the fresh configuration with a 32-byte key.
“To bypass REvil’s anti-tamper control that ensures the integrity of the configuration, Gold Northfield also had to generate a CRC32 hash of the updated encrypted configuration and then replace the hard-coded precalculated CRC32 hash stored in the binary with the updated configuration’s CRC32 hash,” researchers said. “These changes are necessary because the REvil code calculates the configuration’s CRC32 hash value at runtime and terminates if the calculated and hard-coded hashes do not match.”
Finally, Gold Northfield needed to add the RC4 key, the CRC32 hash, the length of the encrypted configuration and the encrypted configuration itself to the REvil binary, they added.
“If done correctly, the binary will successfully execute using LV’s updated configuration,” according to the post. “Files on the victim’s system will be encrypted with session keys that are protected by LV’s public key, and victims will be directed to LV’s ransom payment site via the updated ransom note.”
LV Configuration Updates and Changes
LV appears to be replicating REvil’s playbook in many ways, according to the analysis, including stealing information during attacks and posting the names of its victims on “name and shame” leak sites. However, there are key differences between the two groups, according to CTU.
Some of these highlight LV’s less-sophisticated arsenal of skills. For instance, a standard REvil configuration specifies 1,200 command-and-control (C2) domains that the malware can communicate with, according to CTU, sending along ransomware version; session keys used for file encryption; public key used to encrypt the session keys; and victims’ details, such as username, hostname, and region.
However, LV’s configuration removes all of these from the “dmn” file, which has two consequences. First, it ensures that LV ransomware victims’ data is not sent to REvil C2 servers – an important aspect of any successful hijacking of code. And secondly, it tells researchers that the LV gang isn’t as sophisticated as some of its rivals.
“Removing these domains rather than replacing them with C2 domains operated by Gold Northfield suggests that the group may not be capable of maintaining C2 infrastructure or developing the backend automation required to process and track victims’ data,” explained CTU researchers.
Meanwhile, when it comes to the ransom note, it’s identical to the one used by REvil except for the replacement of REvil’s ransom payment Tor domain with one of LV’s own.
Here too, there are indications that LV’s operators are not as advanced as REvil – when submitting a key specified in the note, CTU researchers were thrown website errors.
“The HTTP errors may be caused by anti-analysis controls implemented by Gold Northfield to inspect characteristics of the submitted key for suspicious or undesirable activity,” they explained. “They may also indicate that the threat group is struggling to maintain resilient infrastructure due to lack of skill or insufficient resources.”
There are a couple of other notable differences between the two configuration choices, including how the partner ID (pid) parameter varied in some of the configurations. In the case of LV, it appears that it could leverage this element to track individual ransomware-as-a-service (RaaS) affiliates.
“LV configurations had matching bcrypted partner IDs across different configurations,” according to the analysis. “Although the pid is hashed, a partner could be tracked using the bcrypted hash value. REvil generates a new bcrypted hash for each configuration, making partner tracking impossible.”
There are also differences in how the public key (pk) parameter is treated. LV uses a a master encryption key pair to decrypt the locked-up files of victims. “The pk rotation across configurations suggests the creation of a unique key pair for each victim, which prevents file decryption across multiple victims if the attacker’s private key is obtained,” researchers said.
Pirate or Partner?
Although it’s possible that REvil sold the source code to the other ransomware gang or offered it up as part of a partnership, the repurposing of the binary will only increase competition levels, CTU researchers noted, which suggests this was a five-finger discount play rather than any cooperative action.
“The Gold Northfield threat actors significantly expedited their maturity within the ransomware ecosystem [by repurposing the binary],” according to the report. “Without expending resources on ransomware development, the group can operate more efficiently than its competitors while still offering a best-in-class ransomware offering, ultimately resulting in a more profitable business model.”
CTU researchers said they haven’t yet seen LV ransomware advertisements on underground forums, though the use of the partner ID function across LV configurations and the practice of naming and shaming victims could indicate that a RaaS offering is being developed..
However, “the lack of a reliable and organized infrastructure needed to operate a successful RaaS offering suggests that Gold Northfield has to expand its capabilities and resources to compete with other ransomware operations,” according to the report.
Meanwhile, the REvil group is probably displeased that its code has been lifted, researchers said, which could lead to some malware coding changes on its part.
“Gold Northfield’s unauthorized manipulation of REvil will likely prompt [the gang] to implement additional anti-tamper controls and modify configuration storage and processing to impede future attempts to overwrite the REvil configuration,” they said.
To get more insights into ransomware, download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!