Since last month, the new Lorenz ransomware gang has targeted a sizeable list of victims located worldwide demanding hundreds of thousands of dollars in ransoms.
According to Michael Gillespie of ID Ransomware, who’s been tracking the malware, the Lorenz ransomware uses the same encryptor as that used previously by ThunderCrypt operators. Although, it is not enough to say whether Lorenz is the same group or simply purchased the source code and created its own variant.
Being a human-operated ransomware operation, Lorenz actors first breach a network and then spread laterally to other machines looking for administrator credentials. Before encrypting files, the attackers exfiltrate them to their servers. They later publish stolen data on their data leak site to put pressure on victims to make them pay a ransom.
Lorenz’s data leak website currently has twelve victims, and the group has released the data for ten of them. When publishing the data, Lorenz first sells data to other threat actors or the victim’s competitors. Later, they start releasing password-protected RAR archives with the victim’s data. If the victim doesn’t pay the ransom, and no one purchased the data, the hackers publish the password so that data can be decrypted and seen publicly.
The researcher noted an unusual tactic not used by other ransomware outfits. Lorenz gang sold access to the victim’s network which some threat actors would appreciate more than the data itself.
The gang encrypts the victim’s files with AES encryption and uses an embedded RSA key for encrypting the encryption key. Each encrypted file gets a .Lorenz.sz40 extension.
Another feature of this ransomware operation is that, unlike other enterprise-targeting groups, before encrypting files, Lorenz did not try to kill processes or shut down Windows services.
Attackers leave ransom notes HELP_SECURITY_EVENT.html with information about what happened and a link to a Tor payment page that describes the ransom demand and has a chat that victims can use to negotiate with the hackers.
Lorenz ransom demands range from $500,000 to $700,000. Earlier versions of the ransomware included million-dollar ransom demands, but it is unclear if those were affiliated with the same operation.
BleepingComputer researchers are currently analyzing the ransomware for weaknesses. We do not advise victims to pay the ransom since a free decryptor could recover files.