March 08, 2022

Lorenz Ransomware

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason reports of Lorenz ransomware were observed as early as February 2021 and they’re likely a rebranding of .sZ40 ransomware discovered in October 2020. The attackers have compromised over 20 victims targeting predominantly “English-speaking countries” across a variety of industries. The government agency Europol’s European Cybercrime Center was able to set the ransomware group back as part of the “No More Ransom” project, as a limited decryptor was released for the group’s ransomware. The threat group’s attack method is methodical, studying the victim’s network to create a customized and tailored operation. For example, the attackers impersonate ” the target’s employees, suppliers and partners. This way, the Lorenz group can even go from one, already compromised victim, to another.” After gaining a foothold on the network “the attackers start to perform reconnaissance commands, move laterally within the network, and collect sensitive data including credentials, file, databases and emails.” Given the group’s customized attack, threat behavior has varied. Common behaviors associated with the ransomware has identified the use of scheduled task to execute vssadmin to delete volume shadow copies and older samples of Lorenz have cleared windows logs. A unique extortion method the group uses involves selling the compromised data to threat actors or competitors. If the ransom isn’t paid they leak the data publicly. Lastly, the ransomware group also sells access to networks they’ve compromised.

  • Anvilogic Use Cases:
    • Inhibit System Recovery Commands
    • Create/Modify Schtasks
    • Registry key added with reg.exe
    • Clear Windows Event Logs