article featured image


Cybersecurity researchers from Dutch cybersecurity firm Tesorion analyzed the Lorenz ransomware and have come up with a fix that could allow victims to decrypt their files without being forced to make a ransom payment.

Just like other ransomware attacks, Lorenz ransomware breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.

Lorenz threat actors also implement the double-extortion model by stealing data before encrypting it and threaten to publish it if the victim doesn’t pay the ransom. Until now, ransom demands varied between $500.000 and $700.000.

While spreading throughout the system, they will harvest unencrypted files from victims’ servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.


Below, you can see a Lorenz data leak website that was listing twelve victims, while having exposed data for ten of them.

Lorenz ransomware data leak site


Lorenz Ransomware Decryptor Only Works for Certain Files

Following the Lorenz ransomware analysis, the cybersecurity firm Tesorion came to the conclusion that they can decrypt (non-corrupted) affected files in some cases without paying a ransom. Supported file types include Microsoft Office documents, PDF files, and some image and movie files.

The Lorenz ransomware decryptor, provided by Tesorion to victims for free, will be available for download via the NoMoreRansom initiative soon.

Even if the decryptor can’t decrypt every file type, it will help the ransomware victims to recuperate some important files without paying the ransom.

As shown by BleepingComputer, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures.


In a blog post, Tesorion researcher Gijs Rijnders explains that a vulnerability in how they execute their encryption can lead to data loss, which would prevent a file from being decrypted even if the ransom payment was made.

The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered.


Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Syed Yousaf Shah on April 14, 2022 at 7:17 am

Hi there! my PC is infected by .VTYM. Is there any possible way to recover my data?

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo