Lorenz: A New Ransomware Making Rounds

What has happened?

• Lorenz first breaches a targeted organization’s network and spreads laterally to other devices until its operators obtain access to Windows domain administrator credentials.
• While spreading throughout the system, the ransomware operators will collect unencrypted files from victims' servers, which are then uploaded to remote servers.
• Subsequently, the stolen data is posted on a dedicated data leak site to pressurize the victims into paying the ransom (known as double extortion) or sell the stolen data to other threat actors.
• While encryption is in progress, the ransomware uses an embedded RSA key and AES encryption. For each encrypted file, extension .Lorenz[.]sz40 is appended.

An interesting way of leaking stolen data

• The gang first offers the stolen data for sale to other threat actors. After some time, it starts posting password-protected RAR archives with the victim's data.
• If no ransom is paid or the stolen data is not purchased, the gang releases the password for the data leak archives. Now, the archive is publicly available for anyone to access.
• Other than posting data to leak sites, Lorenz sells access to the victim's internal network, along with the data. The access to the network could be more valuable than the data itself.

Conclusion