Lorenz Ransomware

A new ransomware threat named the Lorenz Ransomware is being deployed in an active attack campaign. Despite the short amount of time since the threatening operation was launched, the cybercriminals behind Lorenz have managed to rack up a victim count of twelve different organizations. The hackers breach the internal network of their victims and start to move laterally in search of Windows domain administrator credentials all the while harvesting sensitive unencrypted files and exfiltrating them to a remote server. Afterward, the Lorenz Ransomware will begin encrypting the files stored on the compromised systems.

All obtained data is published on a dedicated leak website that shows information from 10 of the 12 listed victims currently. The cybercriminals use the collected data to exert progressively, increasing pressure on the breached organizations. If the victims don't pay the asked amount - between $500,000 and $700,000 depending on the specific victim, their data will first be peddled to other threat actors or competitors. Then, if no one is interested, the hackers will package the collected data into password-protected RAR files and begin releasing them in waves. If they still can't find buyers or get the victim to pay the ransom, the Lorenz hackers will leak the password effectively, making all of the files available publicly. It should be noted that, unlike other ransomware operations, the Lorenz group offers to sell access to the compromised network alongside the collected data.

Lorenz Ransomware Details

Analyses conducted by Michael Gillespie have revealed that the Lorenz Ransomware encryptor is similar to a previously detected malware threat named ThunderCrypt. Whether this means that the threat actor behind both operations is one and the same or that the Lorenz group bought the ThunderCrypt source code and created their own variant cannot be determined currently.

Each Lorenz Ransomware payload is tweaked to match the specific victim targeted in the attack. As such, each version may differ in certain details while keeping the same behavior as a whole. To lock the victim's files, the Lorenz Ransomware first uses AES encryption and then encrypts the key with an embedded RSA key. Each affected file will have '.Lorenz.sz40' appended to its original name as a new extension.

The ransom note is then delivered in the form of files named 'HELP_SECURITY_EVENT.html' that will be dropped in every folder on the compromised computer. The ransom notes contain links to the Lorenz data leak site and to a TOR payment site crafted for that victim specifically. Each unique TOR payment site will display the ransom amount assigned to the victim that has to be paid in Bitcoin. It also offers a chat functionality through which victims can attempt to negotiate with the Lorenz hackers.