article featured image


There’s a new ransomware operation in town and it targets organizations around the world with customized attacks.

Dubbed Lorenz, the ransomware gang began operating a month ago and has since compiled a growing list of victims whose stolen data has been published on a data leak site, as reported by BleepingComputer.

According to ID Ransomware’s Michael Gillespie, the Lorenz ransomware encryptor is the same as ThunderCrypt operation, but it’s not yet known if Lorenz is the same group or purchased the ransomware source code to create its own variant.

Similar to other ransomware attacks, Lorenz breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.

While spreading throughout the system, they will harvest unencrypted files from victims’ servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.


Below, you can see a Lorenz data leak website that is currently listing twelve victims, while having exposed data for ten of them.

Lorenz data-leak-site heimdal security

Image Source: BleepingComputer

Unlike other ransomware gangs, Lorenz pressures its victims into paying the ransom by making the data available for sale to other attackers or possible competitors. After a while, they start releasing password-protected RAR archives with the victim’s sensitive information.

Finally, if the victim doesn’t pay the ransom, and the data is not purchased, Lorenz releases the password for the archives so that they are publicly available to anyone who downloads the files. Together with the data, the ransomware gang sells access to the victim’s internal network, which can prove to be more useful to some cybercriminals.

Lorenz access-to-internal-network heimdal

Image Source: BleepingComputer

As mentioned above, the threat actors customize the malware executable for the specific organization they are targeting.

When encrypting files, the ransomware uses AES encryption and an embedded RSA key to encrypt the encryption key. For each encrypted file, the .Lorenz.sz40 extension will be appended to the file’s name. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting.


Every folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html with information explaining what happened to a victim’s files, a link to the Lorenz data leak site, and a link to a unique Tor payment site where the victim can make the payment.

lorenz ransom-note heimdal security

Image Source: BleepingComputer

According to BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000.

As new types of ransomware emerge, researchers decrypt some strains, but others get new variants, and it may look like a cat and mouse game, in which proactivity is vital. Paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.

Therefore, prevention remains the best medicine as always. Heimdal™ Threat Prevention protects your endpoints and network against ransomware and data exfiltration with proprietary DNS security technology that spots and stops threats at the DNS, HTTP, and HTTPs layers. Coupled with the Heimdal™ Ransomware Encryption Protection, ransomware gangs won’t stand a chance.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo