‘Groupe Reorev’ Breached by the ‘LV’ Ransomware Actors

Written by Bill Toulas
Last updated June 23, 2021

The ransomware group that goes by the name “LV” has announced what is maybe their most prestigious hit to date, as they claim to have compromised the corporate network of Groupe Reorev. This is a French conglomerate of R&D engineering, production equipment, manufacturing and integration entities, encompassing Ravaj, SDEI Ouest, and SEF Touraine, and having active partnerships with well-known brands such as Safran, Michelin, SKF, Mecachrome, Delphi, Schneider Electric, Valeo, Eiffage, Fareva, and Atlantic.

The actors claim to have exfiltrated 400GB of sensitive data that includes documents relevant to finance, accounting, banking, insurance, client data, and technical data. The last two sound like the riskiest of all for Reorev, as having the details of your customers or your patented technology leaked publicly is always a regrettable incident and one that’s hard to recuperate from.

Source: KELA

We have checked some of the samples that the LV actors have published on their Tor site, and there doesn’t seem to be anything really sensitive or apocalyptic in there. We should point out that when the extortion process begins, ransomware actors are typically not letting out damaging files but only what’s needed to convince the victims that their files have indeed been stolen. Also, we have found files dating to April 2021, so the intrusion and subsequent data exfiltration took place recently.

The LV group was first noticed in November 2020, so it’s a fairly recent actor that appeared to be using the same ransomware as REvil (Sodinokibi). It was never determined if the LV is an affiliate separate program or just stole REvil’s malware somehow. Since LV didn’t have any “big hits” until now, it never received much attention from the researchers’ community.

We have reached out to Groupe Reorev asking for a comment, and we’ll update this piece once we hear back from them. For now, we see no impact on the firm’s website or any indications that its manufacturing has been affected by the security incident. The main problem remains the stolen data and what exactly could the LV actors be holding.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: