Meet Lorenz — A New Ransomware Gang Targeting the Enterprise

Demanding the hundreds of thousands of dollars, a new ransomware Lorenz targeting the enterprise.

Hackers began operating from last month the Lorenz ransomware gang’s growing list of victims. The new ransomware targeting enterprises, stealing their data, and demand millions of dollars. The Lorenz ransomware attacks on networks and spreads to other devices until they access Windows domain administrator credentials. The gang goes through the files of the victim’s server and uploads them to the remote server under control.

The stolen data is published on the data leak site to pressure the victim for ransom. Recently the gang target 12 victims with released data of ten of them. When it comes to threatening, the gang publishes data differently as it adopts a different way from another ransomware. They sell the data with other threatened victims or sell it to the competitors. When time proceeds, if the victim does not accept their demand, they started releasing the password-protected files containing the victim’s data.

The data can publicly be available to any person who downloads the files. Hackers set up a website where the hack data of victims is published The thing is not clear about how the gang reaches their intended victims and distributing the malware. The gang adopts two ways to get money from attack victims; at first, they threaten to leak the files, and they sell the data if the victim still not down on its keens.

To stay in the ransom game, the gang creates pressure on victims. The ransomware emerged to issue specific commands from the local networks’ domain controller. The ransomware gang does not kill the processes. They demand payment in the form of Bitcoin. The chat forum is within reach to the victim so they can overcome the gang. The range demand of the Lorenz gang is about 14 bitcoin or $700,000. Some of Lorenz demand millions of dollars. It did not confirm that the group is new or old once with new techniques.

A note is dropped on the victim system named _HELP-SECURITY_EVENT, Html.

When files are encrypting, the ransomware uses AES encryption, and an insert RSA key to encrypt the encryption key. For individually encrypted files, Lerzon will append the sz40 extension to the file name.

Moreover, things are not clear yet; the security agencies are improving cybersecurity and taking the criminals out of their holes.

Reference: https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/