It appears that someone is ripping off REvil’s ransomware by modifying its files for their own purposes. According to Secureworks, a ransomware strain called LV has been spotted, and it is similar to the ransomware code used by REvil.
Secureworks has been tracking under the codename Gold Northfield in the wild since October 2020. They deploy a slightly tweaked version of REvil’s binary which still has references to its command-and-control infrastructure, but data exfiltration infrastructure has been removed.
Secureworks considered possibilities that REvil’s code could have been stolen, leaked, or shared with another threat group. But the researchers came to the conclusion that LV is probably an “unauthorized” rip-off of a REvil’s beta.
“This type of code modification suggests that Gold Northfield does not have access to REvil’s source code,” the researchers noted.
“The threat actors likely used a hex editor to remove potentially identifying characteristics from the binary to conceal that LV is a repurposed version of REvil. The hard-coded 2.02 version value and the unique REvil 2.03 code suggests that Gold Northfield used a beta version of REvil 2.03 as the basis for LV ransomware.”
Instead of using REvil’s standard payment system, LV uses Tor-based ransom payment engines. They also have two websites where they plan to publish stolen data. So far, no data has been leaked on the sites, though the operators claim to have had a dozen successful infections.
The LV variant of the REvil ransomware is not being advertised for sale in malware forums, which, researchers think, could indicate that someone is about to launch a RaaS operation.
The Gold Northfield actors have chosen to modify the binary of the notorious ransomware to accelerate their maturity. By skipping developing their own ransomware, the actor can focus on other areas of RaaS business, such as marketing and customer support. This will allow them to remain competitive in the market while still offering a high-quality product.
Gold Southfield implemented additional counter-decryption controls to prevent future attempts to modify the REvil configuration, as the researchers noticed “a unique key pair for each victim, which prevents file decryption across multiple victims if the attacker’s private key is obtained.”
Researchers from Secureworks discovered that Gold Northfield’s REvil strain used a unique key pair that prevents the public key from being used to decrypt files.