[BreachExchange] ‘Groupe Reorev’ Breached by the ‘LV’ Ransomware Actors

[Destry Winant]

https://www.technadu.com/groupe-reorev-breached-lv-ransomware-actors/270239/

A new ransomware group known as “LV” claims to have stolen 400GB of
sensitive data from Groupe Reorev.

The actors have leaked out some sample documents, but those aren’t very
important or damaging.

The most worrying part is the client data and technical documents, as
Reorev has many high-profile customers.

The ransomware group that goes by the name “LV” has announced what is maybe
their most prestigious hit to date, as they claim to have compromised the
corporate network of Groupe Reorev. This is a French conglomerate of R&D
engineering, production equipment, manufacturing and integration entities,
encompassing Ravaj, SDEI Ouest, and SEF Touraine, and having active
partnerships with well-known brands such as Safran, Michelin, SKF,
Mecachrome, Delphi, Schneider Electric, Valeo, Eiffage, Fareva, and
Atlantic.

The actors claim to have exfiltrated 400GB of sensitive data that includes
documents relevant to finance, accounting, banking, insurance, client data,
and technical data. The last two sound like the riskiest of all for Reorev,
as having the details of your customers or your patented technology leaked
publicly is always a regrettable incident and one that’s hard to recuperate
from.

We have checked some of the samples that the LV actors have published on
their Tor site, and there doesn’t seem to be anything really sensitive or
apocalyptic in there. We should point out that when the extortion process
begins, ransomware actors are typically not letting out damaging files but
only what’s needed to convince the victims that their files have indeed
been stolen. Also, we have found files dating to April 2021, so the
intrusion and subsequent data exfiltration took place recently.

The LV group was first noticed in November 2020, so it’s a fairly recent
actor that appeared to be using the same ransomware as REvil (Sodinokibi).
It was never determined if the LV is an affiliate separate program or just
stole REvil’s malware somehow. Since LV didn’t have any “big hits” until
now, it never received much attention from the researchers’ community.

We have reached out to Groupe Reorev asking for a comment, and we’ll update
this piece once we hear back from them. For now, we see no impact on the
firm’s website or any indications that its manufacturing has been affected
by the security incident. The main problem remains the stolen data and what
exactly could the LV actors be holding.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210511/47936f62/attachment.html>