Active since late 2021, LV Ransomware is a RaaS based on the REvil operation. Experts believe that REvil operators either shared or sold the source code of the ransomware to LV Ransomware. Recently, the ransomware group has reemerged in the threat landscape with a new attack, found Trend Micro.

Diving into details

  • In an incident, LV Ransomware compromised the corporate environment of a Jordan-based organization.
  • It exploited the Microsoft flaws—ProxyShell and ProxyLogon—vulnerabilities and dropped a webshell in the public access folders.
  • While the threat actors didn’t add capabilities to their ransomware, they expanded affiliate programs. 
  • The attackers, furthermore, leveraged double extortion to blackmail the victims.

About the targets

LV Ransomware breaches expedited in Q2 2022 simultaneous to the affiliate extension program. 
  • Data from Trend Micro suggests that Europe had the highest breach alerts, followed by North America and Asia.
  • The most reported incidents caused by ransomware payload belong to the U.S. and Saudi Arabia.
  • While the group targets every industry vertical, the manufacturing and technology sectors have been the most affected.

Some worrisome ransomware news

  • Lockbit has emerged as the most active global threat as it accounted for the most number of victims (231) in a quarter. 
  • Researchers observed a 674% rise in DeadBolt ransomware attacks between June and September. It has been targeting QNAP NAS devices and extorting ransom from the victims and the vendor.
  • In its latest campaign, the Magniber ransomware was found targeting Windows home users, focusing on Windows 10 and 11.

The bottom line

The extension of its affiliate program has allowed LV Ransomware to gain widespread access across multiple sectors. Thus, implying that the success of ransomware attacks doesn’t only rely on functionality enhancement, but also on better propagation networks. First off, it is necessary to patch the ProxyShell and ProxyLogon bugs to stay safe. Consequently, implementing data protection and recovery measures ensures that no data is lost even during a successful ransomware attack.
Cyware Publisher