Cyber Threat Actor: LV ransomware group
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
5 incidents |
|---|
Profile
The LV ransomware group, also tracked as LV ransomware, is a threat actor whose known operational base is located in the United States of America. Public reporting ties the group to a range of victim organizations across different industries, including a global semiconductor manufacturer, a regional public transit authority, a further education college, a public school district, and an online marketplace for gaming items. These incidents show that the actor targets entities in North America and Europe, affecting both private sector firms and public service providers. The observed outcomes of the attacks include the deployment of ransomware that encrypts systems, claims of large‑scale data exfiltration, and the disruption of essential services such as transportation scheduling, online learning platforms, and internal communications. In several cases the attackers issued ransom demands, while in others they refused to engage with victims who declined to pay, indicating a mix of financial extortion and disruptive impact as part of their operational pattern.
Analysis of the disclosed incidents reveals consistent tactics, techniques and procedures associated with the LV ransomware group. The group employs its eponymous LV ransomware malware to encrypt files on compromised networks. Initial access has been documented via a phishing email that originated from an IP address in Moscow, Russia, in the case of the Moses Lake School District attack, suggesting that social engineering remains a viable entry point. Victims have reported receiving email notifications that inform them of the encryption event, as seen with the Cape Cod Regional Transit Authority, which the group uses to communicate the compromise without necessarily revealing the ransom amount. Beyond encryption, the actor has been observed exfiltrating data prior to or during the ransomware deployment, exemplified by the claim of 2 TB of data taken from Semikron and the theft of user information from the Roblox grey marketplace. The group’s tooling style includes the use of backups for recovery efforts by victims and a pattern of refusing to negotiate with those who decline to meet ransom demands, as demonstrated by City Lit and the Moses Lake School District. No public sources link the LV ransomware group to a specific state sponsor or a larger criminal consortium; attribution remains limited to the geographic indication of U.S.‑based operations.
Representative operations that illustrate the group’s activity include the August 2022 ransomware incident against Semikron, which resulted in partial IT system encryption and alleged large‑scale data theft, prompting external forensic involvement and international remediation efforts. The May 2022 attack on the Cape Cod Regional Transit Authority disrupted communication systems and forced a temporary shift to manual scheduling for Dial‑a‑Ride services while law‑enforcement agencies, including the FBI, became involved. In December 2021, City Lit suffered a prolonged IT outage that halted online classes and enrollment, leading the institution to shut down its network, refuse payment on ethical grounds, and notify the Information Commissioner’s Office. The July 2020 breach of the Moses Lake School District, initiated through a phishing email, demanded a $1 million ransom that was refused, leading to the rebuilding of over fifty servers and a two‑week operational shutdown. Finally, the June 2020 compromise of a Roblox‑focused grey marketplace showcased the actor’s ability to steal detailed user data, including hashed passwords and contact information, through a chain involving an insider bribe and a separate platform intrusion. These cases collectively demonstrate the LV ransomware group’s reliance on ransomware deployment, phishing‑based initial access, data exfiltration, and service disruption across multiple sectors and regions.
