- A new ransomware group known as “LV” claims to have stolen 400GB of sensitive data from Groupe Reorev.
- The actors have leaked out some sample documents, but those aren’t very important or damaging.
- The most worrying part is the client data and technical documents, as Reorev has many high-profile customers.
The ransomware group that goes by the name “LV” has announced what is maybe their most prestigious hit to date, as they claim to have compromised the corporate network of Groupe Reorev. This is a French conglomerate of R&D engineering, production equipment, manufacturing and integration entities, encompassing Ravaj, SDEI Ouest, and SEF Touraine, and having active partnerships with well-known brands such as Safran, Michelin, SKF, Mecachrome, Delphi, Schneider Electric, Valeo, Eiffage, Fareva, and Atlantic.
The actors claim to have exfiltrated 400GB of sensitive data that includes documents relevant to finance, accounting, banking, insurance, client data, and technical data. The last two sound like the riskiest of all for Reorev, as having the details of your customers or your patented technology leaked publicly is always a regrettable incident and one that’s hard to recuperate from.
We have checked some of the samples that the LV actors have published on their Tor site, and there doesn’t seem to be anything really sensitive or apocalyptic in there. We should point out that when the extortion process begins, ransomware actors are typically not letting out damaging files but only what’s needed to convince the victims that their files have indeed been stolen. Also, we have found files dating to April 2021, so the intrusion and subsequent data exfiltration took place recently.
The LV group was first noticed in November 2020, so it’s a fairly recent actor that appeared to be using the same ransomware as REvil (Sodinokibi). It was never determined if the LV is an affiliate separate program or just stole REvil’s malware somehow. Since LV didn’t have any “big hits” until now, it never received much attention from the researchers’ community.
We have reached out to Groupe Reorev asking for a comment, and we’ll update this piece once we hear back from them. For now, we see no impact on the firm’s website or any indications that its manufacturing has been affected by the security incident. The main problem remains the stolen data and what exactly could the LV actors be holding.