ransomware Lorenz

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Ransomware Lorenz has been discovered that targets organizations globally with customized attacks.

Dubbed Lorenz, the ransomware gang started its operation last month and the list of victims is growing. 

What has happened?

According to a researcher, ransomware Lorenz appears to be the same as ThunderCrypt ransomware. However, it’s not clear if Lorenz is created by the same group or if it purchased the source code of ThunderCrypt.

  • Lorenz first breaches a targeted organization’s network and spreads laterally to other devices until its operators obtain access to Windows domain administrator credentials.
  • While spreading throughout the system, ransomware Lorenz operators will collect unencrypted files from victims’ servers, which are then uploaded to remote servers.
  • Subsequently, the stolen data is posted on a dedicated data leak site to pressurize the victims into paying the ransom (known as double extortion) or sell the stolen data to other threat actors.
  • While encryption is in progress, the ransomware uses an embedded RSA key and AES encryption. For each encrypted file, extension .Lorenz[.]sz40 is appended.

An interesting way of leaking stolen data

To pressurize the victims, Lorenz gang uses a slightly unique trick.

  • The gang first offers the stolen data for sale to other threat actors. After some time, it starts posting password-protected RAR archives with the victim’s data.
  • If no ransom is paid or the stolen data is not purchased, the gang releases the password for the data leak archives. Now, the archive is publicly available for anyone to access.
  • Other than posting data to leak sites, Lorenz sells access to the victim’s internal network, along with the data. The access to the network could be more valuable than the data itself.


Lorenz is still new and is spreading fast with high ransom demands and customized attacks. In addition, the ransomware gang is offering access to already breached networks. Therefore, security agencies and professionals need to keep an eye on this threat and beef up defenses.

Subscribe To Our Newsletter

More To Explore

Wanna take it to the next level?

drop us a line and let's get started

We're Here To help

Feel free to contact us, and we’ll be more than happy to answer all of your questions.

a2Da Digital

a2Da Digital is a brand of a2Da Enterprises

Ahtri 12
10151 Tallinn, Estonia

[email protected]

+372 712 4283
Hours : 08:00 to 18:00 Mon – Fri
Support 24×7 Submit a Ticket Here
Registered in Tallinn, EE : 14740580
VAT : EE102279616

By completing this form, you consent to a2Da Digital, in its capacity as data controller, collecting your data in order to be able to respond to your message. To assert your right of access or removal, see our Privacy Policy.

Notre entreprise est un collectif de personnes extraordinaires dont le seul objectif est de construire les solutions dont vous avez besoin.

Des interlocuteurs disponibles, compétents et à votre disposition pour vous aider à définir vos besoins et les traduire en outils performants et faciles à utiliser.

Nous répondons à vos demandes au plus vite de manière claire et compréhensible.

Contactez nous à [email protected] avec vos questions.

Nous maintenons nous même notre matériel 24/7 et avons construit une infrastructure sécurisée, efficace et fiable.

Ceci nous permet de vous proposer des produits adaptés à tous les budgets et à forte valeur ajoutée.

Nous ne revendons pas des packs d’hébergement… Nous disposons de nos propres serveurs, maintenus, mis à jour et gérés par nos propres équipes.