A ransomware operation termed Lorenz victimizes organizations worldwide. Lorenz issues highly targeted attacks and demands hundreds of thousands of dollars in payment.
The Lorenz ransomware gang may have a link to the ThunderCrypt operators. The Lorenz gang began operating last month. Since then, the group has developed a notable list of victims. A data leak site houses victims’ stolen and exposed data.
Experts remain uncertain as to whether the Lorenz group is made up of the same individuals behind ThunderCrypt, or whether the ransomware source code was sold to a secondary group.
Data leak site, extortion of victims
As with similar ransomware attacks, Lorenz breaches a network and can spread laterally. As a result, operators gain access to devices. Hackers want to reach Windows domain admin credentials.
In the process of moving through the system, the hackers steal unencrypted files from servers. The files are then uploaded to the internet and either used for further ransom schemes or they’re sold on the web.
The known Lorenz data leak site lists twelve victims. Operators have released data belonging to ten out of the twelve.
The Lorenz lure
“To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. As time goes on, they start releasing password-protected RAR archives containing the victim’s data,” reports Bleeping Computer. If a ransom is not paid, Lorenz makes the stolen information publicly available.
The Lorenz operators have devised a unique attack twist. Lorenz sells access to a victim’s internal network. “For some threat actors, access to the networks could be more valuable than the data itself,” notes Bleeping Computer. Security professionals should take note of this. For enterprises, this type of attack is more than a bee sting. It may be akin to getting stung by a hoard of bees.
Lorenz Ransomware encryption, technical details
The Lorenz ransomware operators appear to customize the malware executable in accordance with the targeted organization. In one sample, ransomware appears to issue specific commands from the local network’s domain controller.
The ransomware that encrypts the files uses AES encryption and relies on an embedded RSA key to encrypt the encryption key. In relation to each file that’s encrypted, the .Lorenz.sz40 extension appends the file’s name.
In contrast with other ransomware strains, Lorenz does not appear to kill processes or to terminate Windows ahead of file encryption.
Victims receive a dedicated Tor payment site from which they can pay ransoms. Payments occur in the form of Bitcoin. A chat forum is accessible to victims. It enables victims to negotiate with the gang.
Lorenz ransomware payments
Thus far, Lorenz ransomware payment demands have ranged from $500,000 to $700,000. Previously, certain Lorenz ransomware deployments included million-dollar ransom demands. However, experts remain uncertain as to whether those demands were connected to the same group of hackers.
Lorenz remains a relatively new ransomware on the scene. High ransom demands and customized attacks render it a clear and present danger.
For more on Lorenz ransomware, visit Bleeping Computer.