ransomware Lorenz

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Ransomware Lorenz has been discovered that targets organizations globally with customized attacks.

Dubbed Lorenz, the ransomware gang started its operation last month and the list of victims is growing. 

What has happened?

According to a researcher, ransomware Lorenz appears to be the same as ThunderCrypt ransomware. However, it’s not clear if Lorenz is created by the same group or if it purchased the source code of ThunderCrypt.

  • Lorenz first breaches a targeted organization’s network and spreads laterally to other devices until its operators obtain access to Windows domain administrator credentials.
  • While spreading throughout the system, ransomware Lorenz operators will collect unencrypted files from victims’ servers, which are then uploaded to remote servers.
  • Subsequently, the stolen data is posted on a dedicated data leak site to pressurize the victims into paying the ransom (known as double extortion) or sell the stolen data to other threat actors.
  • While encryption is in progress, the ransomware uses an embedded RSA key and AES encryption. For each encrypted file, extension .Lorenz[.]sz40 is appended.

An interesting way of leaking stolen data

To pressurize the victims, Lorenz gang uses a slightly unique trick.

  • The gang first offers the stolen data for sale to other threat actors. After some time, it starts posting password-protected RAR archives with the victim’s data.
  • If no ransom is paid or the stolen data is not purchased, the gang releases the password for the data leak archives. Now, the archive is publicly available for anyone to access.
  • Other than posting data to leak sites, Lorenz sells access to the victim’s internal network, along with the data. The access to the network could be more valuable than the data itself.


Lorenz is still new and is spreading fast with high ransom demands and customized attacks. In addition, the ransomware gang is offering access to already breached networks. Therefore, security agencies and professionals need to keep an eye on this threat and beef up defenses.

Subscribe To Our Newsletter

More To Explore

Wanna take it to the next level?

drop us a line and let's get started

We're Here To help

Feel free to contact us, and we’ll be more than happy to answer all of your questions.

a2Da Digital

a2Da Digital is a brand of a2Da Enterprises

Ahtri 12
10151 Tallinn, Estonia

[email protected]

+372 712 4283
Hours : 08:00 to 18:00 Mon – Fri
Support 24×7 Submit a Ticket Here
Registered in Tallinn, EE : 14740580
VAT : EE102279616

By completing this form, you consent to a2Da Digital, in its capacity as data controller, collecting your data in order to be able to respond to your message. To assert your right of access or removal, see our Privacy Policy.

Our company is a collective of amazing people striving to build solutions you need.

Actual people, easy to contact and who know what they are doing, these are the members of the team you will deal with.
We all speak French and English and will be able to answer all your questions as quickly as possible.
Just drop an email at [email protected] with your question.

We have both eyes on our equipment, update and maintain it ourselves 24/7 and have constructed an architecture that we believe is sound, secured, efficient and cost effective. We own our servers, we do not resell hosting packages!