Ransomware Lorenz has been discovered that targets organizations globally with customized attacks.
Dubbed Lorenz, the ransomware gang started its operation last month and the list of victims is growing.
What has happened?
According to a researcher, ransomware Lorenz appears to be the same as ThunderCrypt ransomware. However, it’s not clear if Lorenz is created by the same group or if it purchased the source code of ThunderCrypt.
- Lorenz first breaches a targeted organization’s network and spreads laterally to other devices until its operators obtain access to Windows domain administrator credentials.
- While spreading throughout the system, ransomware Lorenz operators will collect unencrypted files from victims’ servers, which are then uploaded to remote servers.
- Subsequently, the stolen data is posted on a dedicated data leak site to pressurize the victims into paying the ransom (known as double extortion) or sell the stolen data to other threat actors.
- While encryption is in progress, the ransomware uses an embedded RSA key and AES encryption. For each encrypted file, extension .Lorenz[.]sz40 is appended.
An interesting way of leaking stolen data
To pressurize the victims, Lorenz gang uses a slightly unique trick.
- The gang first offers the stolen data for sale to other threat actors. After some time, it starts posting password-protected RAR archives with the victim’s data.
- If no ransom is paid or the stolen data is not purchased, the gang releases the password for the data leak archives. Now, the archive is publicly available for anyone to access.
- Other than posting data to leak sites, Lorenz sells access to the victim’s internal network, along with the data. The access to the network could be more valuable than the data itself.
Lorenz is still new and is spreading fast with high ransom demands and customized attacks. In addition, the ransomware gang is offering access to already breached networks. Therefore, security agencies and professionals need to keep an eye on this threat and beef up defenses.