Home Internet Security Meet Lorenz — A new ransomware gang targeting the enterprise

Meet Lorenz — A new ransomware gang targeting the enterprise



A brand new ransomware operation referred to as Lorenz targets organizations worldwide with personalized assaults demanding a whole lot of hundreds of {dollars} in ransoms.

The Lorenz ransomware gang started working final month and has since amassed a rising checklist of victims whose stolen knowledge has been revealed on a ransomware knowledge leak website.

Michael Gillespie of ID Ransomware has instructed BleepingComputer that the Lorenz ransomware encryptor is identical as a earlier operation referred to as ThunderCrypt.

It isn’t clear if Lorenz is identical group or bought the ransomware supply code to create its personal variant.

Knowledge leak website launched to extort victims

Like different human-operated ransomware assaults, Lorenz will breach a community and unfold laterally to different units till they achieve entry to Home windows area administrator credentials.

Whereas spreading all through the system, they may harvest unencrypted recordsdata from victims’ servers, which they add to distant servers underneath their management.

This stolen knowledge is then revealed on a devoted knowledge leak website to strain victims to pay a ransom or to promote the information to different menace actors.

This Lorenz knowledge leak website at present lists twelve victims, with knowledge launched for ten of them.

Lorenz data leak site
Lorenz knowledge leak website

When the Lorenz gang publishes knowledge, they do issues a bit in another way in comparison with different ransomware gangs.

To strain victims into paying the ransom, Lorenz first makes the information out there on the market to different menace actors or attainable rivals. As time goes on, they begin releasing password-protected RAR archives containing the sufferer’s knowledge.

In the end, if no ransom is paid, and the information is just not bought, Lorenz releases the password for the information leak archives in order that they’re publicly out there to anybody who downloads the recordsdata.

One other fascinating attribute not seen in different knowledge leak websites is that Lorenz sells entry to the sufferer’s inner community together with the information. 

Offering access to victim's internal network
Providing entry to sufferer’s inner community

For some menace actors, entry to the networks may very well be extra invaluable than the information itself. 

The Lorenz encryptor

From samples of the Lorenz ransomware seen by BleepingComputer, the menace actors customise the malware executable for the particular group they’re concentrating on.

In one of many samples shared with BleepingComputer, the ransomware will problem the next instructions to launch a file named ScreenCon.exe from what seems to be the native community’s area controller.

wmic /node:"" /USER:"xx.comAdministrator" /PASSWORD:"xx" course of name create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz402 /TR "xx.comNETLOGONMSI_InstallScreenConn.exe" & SCHTASKS /run /TN sz402&SCHTASKS /Del

When encrypting recordsdata, the ransomware makes use of AES encryption and an embedded RSA key to encrypt the encryption key. For every encrypted file, the .Lorenz.sz40 extension will likely be appended to the file’s title.

For instance, a file named 1.doc can be encrypted and renamed to 1.doc.Lorenz.sz40, as proven within the picture of an encrypted folder under.

Lorenz encrypted files
Lorenz encrypted recordsdata

In contrast to different enterprise-targeting ransomware, the Lorenz pattern we checked out didn’t kill processes or shut down Home windows providers earlier than encrypting.

Every folder on the pc will likely be a ransom notice named HELP_SECURITY_EVENT.html that accommodates details about what occurred to a sufferer’s recordsdata. It would additionally embody a hyperlink to the Lorenz knowledge leak website and a hyperlink to a distinctive Tor fee website the place the sufferer can see their ransom demand.

Lorenz ransom note
Lorenz ransom notice

Every sufferer has a devoted Tor fee website that features the ransom demand in Bitcoin and a chat kind that victims can negotiate with the attackers.

Lorenz Tor payment page
Lorenz Tor fee web page

From ransom notes seen by BleepingComputer, Lorenz ransom calls for vary from $500,000 to $700,000. Earlier variations of the ransomware included million-dollar ransom calls for, however it’s unclear if these had been affiliated with the identical operation.

The ransomware is at present being analyzed for weaknesses, and BleepingComputer doesn’t advise victims to pay the ransom till its decided if a free decryptor can recuperate recordsdata without spending a dime.

Source link