{
	"id": "e0442c0b-5086-40b5-8246-276cfbba7064",
	"created_at": "2026-04-06T00:07:27.78272Z",
	"updated_at": "2026-04-10T13:11:32.450765Z",
	"deleted_at": null,
	"sha1_hash": "ffe8d01babc1751f879745f53a20b658fede8a01",
	"title": "Meet Lorenz \u0026mdash; A new ransomware gang targeting the enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2569629,
	"plain_text": "Meet Lorenz \u0026mdash; A new ransomware gang targeting the enterprise\r\nBy Lawrence Abrams\r\nPublished: 2021-05-13 · Archived: 2026-04-02 12:23:35 UTC\r\nA new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding\r\nhundreds of thousands of dollars in ransoms.\r\nThe Lorenz ransomware gang began operating last month and has since amassed a growing list of victims whose stolen data\r\nhas been published on a ransomware data leak site.\r\nMichael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz ransomware encryptor is the same as a\r\nprevious operation known as ThunderCrypt.\r\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 1 of 6\n\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIt is not clear if Lorenz is the same group or purchased the ransomware source code to create its own variant.\r\nData leak site launched to extort victims\r\nLike other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until\r\nthey gain access to Windows domain administrator credentials.\r\nWhile spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to\r\nremote servers under their control.\r\nThis stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other\r\nthreat actors.\r\nThis Lorenz data leak site currently lists twelve victims, with data released for ten of them.\r\nLorenz data leak site\r\nWhen the Lorenz gang publishes data, they do things a bit differently compared to other ransomware gangs.\r\nTo pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible\r\ncompetitors. As time goes on, they start releasing password-protected RAR archives containing the victim's data.\r\nUltimately, if no ransom is paid, and the data is not purchased, Lorenz releases the password for the data leak archives so\r\nthat they are publicly available to anyone who downloads the files.\r\nAnother interesting characteristic not seen in other data leak sites is that Lorenz sells access to the victim's internal network\r\nalong with the data. \r\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 3 of 6\n\nOffering access to victim's internal network\r\nFor some threat actors, access to the networks could be more valuable than the data itself. \r\nThe Lorenz encryptor\r\nFrom samples of the Lorenz ransomware seen by BleepingComputer, the threat actors customize the malware executable for\r\nthe specific organization they are targeting.\r\nIn one of the samples shared with BleepingComputer, the ransomware will issue the following commands to launch a file\r\nnamed ScreenCon.exe from what appears to be the local network's domain controller.\r\nwmic /node:\"0.0.0.0\" /USER:\"xx.com\\Administrator\" /PASSWORD:\"xx\" process call create \"cmd.exe /c schtasks /Create /F /RU\r\nWhen encrypting files, the ransomware uses AES encryption and an embedded RSA key to encrypt the encryption key. For\r\neach encrypted file, the .Lorenz.sz40 extension will be appended to the file's name.\r\nFor example, a file named 1.doc would be encrypted and renamed to 1.doc.Lorenz.sz40, as shown in the image of an\r\nencrypted folder below.\r\nLorenz encrypted files\r\nUnlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows\r\nservices before encrypting.\r\nEach folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html that contains information\r\nabout what happened to a victim's files. It will also include a link to the Lorenz data leak site and a link to a unique Tor\r\npayment site where the victim can see their ransom demand.\r\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 4 of 6\n\nLorenz ransom note\r\nEach victim has a dedicated Tor payment site that includes the ransom demand in Bitcoin and a chat form that victims can\r\nnegotiate with the attackers.\r\nLorenz Tor payment page\r\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 5 of 6\n\nFrom ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. Earlier versions\r\nof the ransomware included million-dollar ransom demands, but it is unclear if those were affiliated with the same operation.\r\nThe ransomware is currently being analyzed for weaknesses, and BleepingComputer does not advise victims to pay the\r\nransom until its determined if a free decryptor can recover files for free.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nhttps://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/"
	],
	"report_names": [
		"meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ffe8d01babc1751f879745f53a20b658fede8a01.pdf",
		"text": "https://archive.orkl.eu/ffe8d01babc1751f879745f53a20b658fede8a01.txt",
		"img": "https://archive.orkl.eu/ffe8d01babc1751f879745f53a20b658fede8a01.jpg"
	}
}