Beware of Lorenz Ransomware Gang Targeting Organizations with Customized Attacks


Security researchers have unearthed a new ransomware operation known as Lorenz targeting organizations worldwide with customized attacks and demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since compiled a growing list of victims whose stolen data has been published on a data leak site.

According to Bleeping Computer, Michael Gillespie of ID Ransomware: the Lorenz ransomware encryptor is identical to a previous operation known as ThunderCrypt. However, it remains unclear if Lorenz is of the same group or has purchased the ransomware source code to design its own variant. 

Like other ransomware attacks, Lorenz breaches a network and expands laterally to other devices until it secures access to Windows domain administrator credentials. While expanding throughout the system, it will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims into paying a ransom or to sell the data to other threat actors.

According to security experts, this Lorenz gang operates differently as compared to other ransomware gangs. To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. After a while, they start releasing password-protected RAR archives containing the victim's data. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting. 

Each folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html that contains information about what happened to a victim's files. It will also include a link to the Lorenz data leak site and a link to a unique Tor payment site where the victim can see their ransom demand.

Finally, if the victim doesn’t fall into the trap of the hackers, Lorenz publishes the password for the data leak archives so that they are publicly available to anyone who downloads the files. From ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. 

Furthermore, the ransomware is currently being analyzed for weaknesses, and paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.