24 June 21, 12:06
Quote:They say imitation is the sincerest form of flattery: The LV ransomware, a strain that cropped up just this spring, turns out to be based on what is most likely pirated REvil ransomware code, according to researchers.
A malware analysis of LV from Secureworks Counter Threat Unit (CTU) found that its operators (which it calls Gold Northfield), replaced the configuration of a REvil v2.03 beta version to basically copy and repurpose the REvil binary for its own ransomware. This indicates a likely reverse-engineering job, researchers said.
“The code structure and functionality of the LV ransomware sample analyzed by CTU researchers are identical to REvil,” researcher said in a Tuesday blog post. “The version value in the LV binary is 2.02, its compile timestamp is 2020-06-15 16:24:05, and its configuration is stored in a section named ‘.7tdlvx’. These characteristics align with REvil 2.02 samples first identified in the wild on June 17, 2020.”
It’s also possible that Gold Northfield simply stole the source code – but CTU researchers noted that some signs discount that theory. For instance, among the differences between the two is the fact that in LV’s code, REvil 2.03’s strings are replaced by spaces.
This can be seen in a snarky code snippet found in REvil 2.03 that’s meant to insult prominent security researchers, including Vitali Kremez, among others. In LV’s code, the insults are stripped out.
Read more: REvil Ransomware Code Ripped Off by Rivals | Threatpost