Beware of a New Type of Ransomware Similar to ThunderCrypt
It Is Still Unclear If Lorenz Ransomware Is the Same Group or Inherited the Source Code to Create Its Own Version.
Last updated on May 14, 2021
There’s a new ransomware operation in town and it targets organizations around the world with customized attacks.
Dubbed Lorenz, the ransomware gang began operating a month ago and has since compiled a growing list of victims whose stolen data has been published on a data leak site, as reported by BleepingComputer.
According to ID Ransomware’s Michael Gillespie, the Lorenz ransomware encryptor is the same as ThunderCrypt operation, but it’s not yet known if Lorenz is the same group or purchased the ransomware source code to create its own variant.
Similar to other ransomware attacks, Lorenz breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.
While spreading throughout the system, they will harvest unencrypted files from victims’ servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.
Unlike other ransomware gangs, Lorenz pressures its victims into paying the ransom by making the data available for sale to other attackers or possible competitors. After a while, they start releasing password-protected RAR archives with the victim’s sensitive information.
Finally, if the victim doesn’t pay the ransom, and the data is not purchased, Lorenz releases the password for the archives so that they are publicly available to anyone who downloads the files. Together with the data, the ransomware gang sells access to the victim’s internal network, which can prove to be more useful to some cybercriminals.
As mentioned above, the threat actors customize the malware executable for the specific organization they are targeting.
When encrypting files, the ransomware uses AES encryption and an embedded RSA key to encrypt the encryption key. For each encrypted file, the .Lorenz.sz40 extension will be appended to the file’s name. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting.
Every folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html with information explaining what happened to a victim’s files, a link to the Lorenz data leak site, and a link to a unique Tor payment site where the victim can make the payment.
According to BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000.
As new types of ransomware emerge, researchers decrypt some strains, but others get new variants, and it may look like a cat and mouse game, in which proactivity is vital. Paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.
Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.