Security News > 2021 > June > Sure looks like someone's pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes

Sure looks like someone's pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes
2021-06-23 00:02

It appears someone is pirating the infamous REvil ransomware by tweaking its files for their own purposes.

In a report today, Secureworks said it has seen a ransomware strain it tracks under the name LV infecting Windows machines with malicious binaries that share a lot of similarities with REvil's code - the latter of which is operated by a group the researchers label Gold Southfield.

Secureworks considered the possibility that REvil's masterminds Gold Southfield "Sold the source code, that the source code was stolen, or that Gold Southfield shared the code with another threat group as part of a partnership," and came to the conclusion that LV is probably an "Unauthorized" rip-off of a REvil beta.

"The threat actors likely used a hex editor to remove potentially identifying characteristics from the binary to conceal that LV is a repurposed version of REvil. The hard-coded 2.02 version value and the unique REvil 2.03 code suggests that Gold Northfield used a beta version of REvil 2.03 as the basis for LV ransomware."

The public cryptographic key Secureworks' researchers observed in LV's REvil strain was different in each sample, suggesting "The creation of a unique key pair for each victim, which prevents file decryption across multiple victims if the attacker's private key is obtained."

REvil is already a known RaaS operator, having previously told the cybercrime underworld that it would start vetting its criminal "Partners" to stop them doing anything that would trigger domestic law enforcement attention.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/23/revil_ransomware_lv/