Researchers analyzed a Lorenz ransomware and developed a free decryption tool for the victims to use and avoid paying ransoms. Threat actors started to use the Lorenz ransomware recently to steal sensitive information and then extort victims.
They have been terrorizing various organizations worldwide since April and demanding hundreds of thousands of dollars in ransoms from victims.
Like other ransomware gangs, Lorenz operators use a double-extortion model to extort money. They threaten to release the victim’s data if they don’t pay the ransom.
Today, Tesorion security researchers announced they developed a decryptor that could allow victims to recover their files without paying off the criminals. They plan to release it through the NoMoreRansom initiative.
Researchers detailed in a blog post that the sample’s code was compiled with debug information which made the analysis easier.
Lorenz ransomware uses a combination of AES-128 and RSA to encrypt files. It generates a random password for each encrypted file, and an encryption key is then obtained using the CryptDeriveKey function. The code used for the ransomware was most likely written in C++ using Visual Studio 2015.
Lorenz creates a mutex called wolf at startup to mark the infected system.
“Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file. The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’,” reads the analysis published by Tesorion.
Experts discovered a bug in n the usage of the CryptEncrypt function during the encryption process that eventually allowed them to decrypt the sensitive information.
“The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered,” states the analysis.
Experts saw they could decrypt a part of non-corrupted files without paying the ransom.
The full analysis along with Indicators of compromise (IoCs) is available on Tesorion’s website.