Lorenz ransomware has evolved its TTPs with double-extortion, exfiltrating data before encryption. New indicators include a .sz41 encryption extension, randomized file and task names, a DLL-based RSA encryption seeded by the current time, and registry-based persistence via a Windows binary. Hashtags: #Lorenz #NCCGroup #sz41 #OnionDomain
Keypoints
- Lorenz uses double-extortion tactics, exfiltrating data before encrypting systems and threatening public release if ransoms aren’t paid.
- A new encryption extension, .sz41, was observed, replacing prior extensions and potentially signaling a method change.
- Threat actors use random strings for file names and scheduled task names, and rename ransom notes (e.g., HELP__[A-Za-z]{0-9}__HELP.html).
- Wininiw.exe in C:Windows is used to modify the registry to create a new administrator account for persistence.
- Scheduled Tasks are used to conduct enumeration, running commands with SYSTEM privileges via the command prompt.
- Encryption relies on a DLL (RSA with current epoch time as seed), which is predictable and contains redundant code indicating iteration and customization.
MITRE Techniques
- [T1041] Exfiltration – “double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.” – Exfiltration over C2 channel used prior to encryption.
- [T1486] Data Encrypted for Impact – “New encryption extension – .sz41” and “encryption method – DLL – RSA using current time epoch as seed (predictable)”.
- [T1136] Create Account – “Binaries to create local admin accounts for persistence” and related registry-based user creation.
- [T1112] Modify Registry – “modify the local Windows Registry, creating a new user and adding it to the Administrator group.”
- [T1053.005] Scheduled Task – “Scheduled Tasks to conduct enumeration” and to schedule actions like GoogleChromeUpdates.
- [T1059.003] Windows Command Shell – “execute command prompt to run built-in commands” via scheduled tasks for enumeration.
- [T1552.001] Credentials in Files – “searching the device for cleartext passwords” and dumping results to C:WindowsTemp.
- [T1071.001] Web Protocols – “lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion” used as a C2 endpoint.
Indicators of Compromise
- [File] context – Wininiw.exe in C:Windows and C:WindowsWinIniw.exe; ransom note and DLL references. Example: Wininiw.exe, Wininiw.exe dir.
- [Extension] context – .sz41 as encryption extension. Example: .sz41.
- [Ransom Note] context – HELP__[A-Za-z]{0-9}__HELP.html; ransom note filename variation. Example: HELP__[A-Za-z]{0-9}__HELP.html.
- [Username] context – IThelperuser; user added via registry modification. Example: IThelperuser.
- [Password] context – !2_HelpEr_E!2_HelpEr_E; password assigned to new admin user. Example: !2_HelpEr_E!2_HelpEr_E.
- [IP Address] context – 165.232.165.215, 49.12.121.47, 168.100.9.216, 174.138.25.242, 143.198.207.6, 134.209.96.37; addresses used for FZSFTP endpoints. Example: 165.232.165.215, 49.12.121.47.
- [IP Address] context – 167.99.6.112; another endpoint. Example: 167.99.6.112.
- [Domain] context – lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion; darkweb C2 endpoint. Example: lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion.
- [Scheduled Task Name] context – GoogleChromeUpdates; name embedded within the DLL. Example: GoogleChromeUpdates.
- [Command] context – cmd.exe /Q /C (copy NETLOGONreport.txt …); enumeration commands. Example: cmd.exe /Q /C (copy NETLOGONreport.txt c:WindowsWinIniw.exe dir dir start /b c:WindowsWinIniw.exe dir).