# Meet Lorenz — A new ransomware gang targeting the enterprise **[bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/](https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) May 13, 2021 12:54 PM 2 A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site. [Michael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz](https://id-ransomware.malwarehunterteam.com/) ransomware encryptor is the same as a previous operation known as ThunderCrypt. It is not clear if Lorenz is the same group or purchased the ransomware source code to create its own variant. ## Data leak site launched to extort victims ----- Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials. While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors. This Lorenz data leak site currently lists twelve victims, with data released for ten of them. **Lorenz data leak site** When the Lorenz gang publishes data, they do things a bit differently compared to other ransomware gangs. To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. As time goes on, they start releasing passwordprotected RAR archives containing the victim's data. ----- Ultimately, if no ransom is paid, and the data is not purchased, Lorenz releases the password for the data leak archives so that they are publicly available to anyone who downloads the files. Another interesting characteristic not seen in other data leak sites is that Lorenz sells access to the victim's internal network along with the data. **Offering access to victim's internal network** For some threat actors, access to the networks could be more valuable than the data itself. ## The Lorenz encryptor From samples of the Lorenz ransomware seen by BleepingComputer, the threat actors customize the malware executable for the specific organization they are targeting. In one of the samples [shared with BleepingComputer, the ransomware will issue the](https://twitter.com/AndreGironda/status/1390681165309235212) following commands to launch a file named ScreenCon.exe from what appears to be the local network's domain controller. ``` wmic /node:"0.0.0.0" /USER:"xx.com\Administrator" /PASSWORD:"xx" process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz402 /TR "\\xx.com\NETLOGON\MSI_Install\ScreenConn.exe" & SCHTASKS /run /TN sz402&SCHTASKS /Del ``` When encrypting files, the ransomware uses AES encryption and an embedded RSA key to encrypt the encryption key. For each encrypted file, the .Lorenz.sz40 extension will be appended to the file's name. For example, a file named 1.doc would be encrypted and renamed to 1.doc.Lorenz.sz40, as shown in the image of an encrypted folder below. ----- **Lorenz encrypted files** Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting. Each folder on the computer will be a ransom note named **HELP_SECURITY_EVENT.html that contains information about what happened to a victim's** files. It will also include a link to the Lorenz data leak site and a link to a unique Tor payment site where the victim can see their ransom demand. ----- **Lorenz ransom note** Each victim has a dedicated Tor payment site that includes the ransom demand in Bitcoin and a chat form that victims can negotiate with the attackers. ----- **Lorenz Tor payment page** From ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. Earlier versions of the ransomware included million-dollar ransom demands, but it is unclear if those were affiliated with the same operation. The ransomware is currently being analyzed for weaknesses, and BleepingComputer does not advise victims to pay the ransom until its determined if a free decryptor can recover files for free. ### Related Articles: [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [Snap-on discloses data breach claimed by Conti ransomware gang](https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/) [Shutterfly discloses data breach after Conti ransomware attack](https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) ----- [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. -----