One more security threat has emerged in the ransomware ecosystem targeting businesses. Identified as Lorenz, this is yet another ransomware that applies a double extortion strategy for money-making.
About Lorenz Ransomware
Bleeping Computer has recently shared details of a Lorenz ransomware that has recently appeared on the radar. The ransomware is active for about a month and has since targeted numerous firms.
In brief, ransomware, just like all others, aims at extracting money from businesses by taking over their networks. After infection, Lorenz spreads laterally on the target network to reach Windows domain admin credentials.
As it spreads, it keeps harvesting unencrypted data from the victim and sends it to its own servers. That’s how Lorenz clearly joins the list of other ransomware that practice double or triple extortion.
After establishing itself and stealing the data, Lorenz encrypts the data while appending a “.Lorenz.sz40” extension to the file names.
While all of this sounds common for ransomware, Lorenz exhibits some unique strategies as well.
At first, it delivers a customized malware executable for a specific victim. Also, the malware gang sets up a dedicated Tor payment site for every victim.
Besides, the malware does not kill processes or Windows services before encryption, unlike other ransomware.
As for the ransom, the gang usually puts up a huge demand ranging between $500,000 and $700,000. Failure to pay this ransom compels the attackers to start releasing the stolen data on the dark web.
At first, the Lorenz gang considers selling the data to the competitors. Then, they start leaking password-protected data archives until the deadline for ransom payment crosses. After that, they simply release the password as well, thus making the data publicly available.
Again, what makes Lorenz unique is that they not only leak the stolen data. Rather they also leak access to the victim’s internal network.
Malware Appears To Be ThunderCrypt Variant
While Loren exhibits a somewhat distinct behavior, it appears that Lorenz is basically a variant of another ransomware ThunderCrypt.
For now, not many details are available about Lorenz as the analyses continue. Nonetheless, within a short time, their leak site suggests the ransomware has targeted around 12 different victims. Among these, they have leaked the data stolen from 10 of them.
Let us know your thoughts in the comments.