Lorenz ransomware has evolved with customized attacks against organizations worldwide, often demanding large ransom fees. Cybereason links Lorenz to ThunderCrypt and notes that while a No More Ransom decryptor exists, it is limited and often ineffective. #Lorenz #ThunderCrypt
Keypoints
- Ever Evolving Ransomware: Lorenz continuously changes ransomware capabilities and behavior, tailoring attacks to each target.
- High Severity: The threat level is HIGH given the destructive potential of the attacks.
- Human Operated Attack: Infiltration and lateral movement are followed by a fully developed RansomOps operation.
- Interesting Data Leaks: Lorenz sells stolen data to threat actors, releases password-protected archives, and also sells DBs and internal access.
- Detected and Prevented: Cybereason XDR Platform fully detects and prevents Lorenz ransomware.
MITRE Techniques
- [T1566.003] Phishing: Spearphishing via Service – The attackers studied target employees and sent the email from a legitimate supplier employee’s account that had been compromised, making the email appear legitimate. “sent the email from a legitimate email account of a real employee at a supplier that they’d already been compromised.”
- [T1078] Valid Accounts – The attackers aim to compromise a domain controller and obtain domain administrator credentials to move laterally and sell access. “The main goal for the attackers when moving laterally is to compromise a domain controller and obtain domain administrator credentials.”
- [T1053.005] Scheduled Task: Scheduled Task/Job – Remote scheduled tasks are created to launch components and move laterally before deploying ransomware. “Some of the samples observed created a remote scheduled task that launches another ransomware binary located on a remote server within the infected network. This indicates that the attackers performed lateral movement in the environment, collected information and harvest credentials before launching the ransomware payload.”
- [T1490] Inhibit System Recovery – Shadow Copies Deletion – The malware deletes shadow copies to hinder recovery. “used the well known vssadmin command to delete the virtual shadow copies of the system.”
- [T1547] Boot or Logon Autostart Execution – Creating a New Boot Entry – The malware creates a new boot entry to mislead users and delay boot. “cmd.exe /c bcdedit /copy {current} /d “Lorenz Encrypt System” & bcdedit /set {current} description “Lorenz Encrypt System” & bcdedit /timeout 100000 && ipconfig”
- [T1112] Modify Registry – The ransomware changes registry keys to configure a new wallpaper and other indicators. “The wallpaper is changed after reboot of the machine: … changes the relevant registry keys to configure it as a desktop wallpaper.”
- [T1047] Windows Management Instrumentation – The malware uses WMI to execute remote commands (e.g., creating scheduled tasks). “wmic /node:” … process call create “cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR ‘copy NETLOGON …”
- [T1086] PowerShell – PowerShell activity is monitored and logged as part of the attacker’s operations. “Windows PowerShell logs that contain information about PowerShell activities…”
- [T1070.001] Clear Windows Event Logs – The attackers clear Windows Event Logs to remove traces. “Clearing Windows Event Logs”
- [T1486] Data Encrypted for Impact – The ransomware encrypts files using AES and appends a ransom note. “Lorenz uses AES encryption to encrypt the files.”
- [T1041] Exfiltration: Exfiltration Over C2 Channel – Data is leaked via Lorenz data leak website and sale of internal access. “data leaks website and unique TOR payment website”。
Indicators of Compromise
- [SHA256] Lorenz binaries – 8ea6a6d4578029c7b2dbbfb525ec88b2cb309901ec5a987847471b6101f0de41, 971f0a32094b8ac10712503305ac6789048d190a209c436839e2e6b0acb016f3, and 8 more hashes
- [IP] C2 / Remediation – 162.33.179.45, 172.86.75.63, 65.21.187.237, 167.99.186.156, 157.90.147.28, 143.198.117.43, 45.61.139.150
Read more: https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware