The Lorenz Gang
Over the past few months, the Lorenz ransomware threat (the encryptor is believed to be the same as a previous operation known as ThunderCrypt) has wreaked havoc by unleashing a campaign against at least twelve organizations (at last count). The Lorenz gang infiltrates networks and begins the hunt for Windows administrator credentials as well as scanning for unencrypted files which are copied to a remote server. The malware also begins the process of encrypting local data on the compromised systems.
The Malware is customized for each victim with versions that contain slight variations. How the Lorenz Ransomware works:
- Searches Windows administrator credentials
- Scan for unencrypted files
- Move unencrypted files to a remote server
- Encrypt files using AES encryption and then encrypts the key with an embedded RSA key. Files will have ‘.Lorenz.sz40’ appended to its original name as a new extension.
The gang then delivers ransom notes via files named ‘HELP_SECURITY_EVENT.html’ which installed in every folder on the compromised systems with links to the Lorenz data leak site and to a TOR payment site (which is victim specific). The TOR payment sites display the victim’s ransom amount to be paid in Bitcoin. Victims do have the opportunity to negotiate with the Lorenz hackers via a chat feature available on the TOR payment site. Ransom amounts vary between 500 and 700k (although a current LIFARS Lorenz case is a ransom request in the millions).
Multi-layer Extortion Strategy
The Lorenz Ransomware Gang uses the data (unencrypted files which were copied to a remote server) to pressure the breached organizations to quickly pay the requested ransom. They may also make the data for sale to other threat actors and/or competitors along with access to the compromised network. If there is no interest in purchasing the data, the Lorenz gang will package the files into password-protected RAR files and begin releasing the files in waves. If the victim refuses (or cannot) pay the ransom, the Lorenz hackers will leak the password(s) making all the files available publicly.
To Pay or Not to Pay? That is the Question
Law Enforcement agencies recommend that businesses do not pay ransoms. “It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” FBI Director Christopher Wray testified before Congress. Stephen Nix, Assistant to the Special Agent in charge at the U.S. Secret Service said, “We’re in this boat now because over the last several years people have paid the ransom.” This poses a problem for the businesses that are held, hostage. Many businesses purchase cyber insurance for this scenario and pay. Groups like the Lorenz gang understand this and employ their own tactics. “I would say over the last two years, they target entities that they know have a policy and will pay. They pick their victims carefully,” D. Ondrej Krehel, LIFARS Founder and CEO said. “It is not that hard to get data from brokers because they keep competitive analyses of who owns the policy and what the limit is, so they can compete on pricing.”
The answer to pay or not pay is not clear. The Lorenz ransomware is currently being analyzed for weaknesses, and it may be possible to recover encrypted files. If the comprised company has a backup of the encrypted files, you may have dodged the ransom for the data, but you still run the risk of your files being exposed on the Darkweb. If current backups are not available, the only way to recover important and valuable data may be by paying the ransom.