Security researchers has said that there has been a new ransomware attack that is malicious and targeting organizations worldwide in exchange for thousands of dollars.
The Lorenz ransomware encryptor was similar to a previous type of ransomware known as ThunderCrypt, a report from Bleeping Computer reported. Although Lorenz does not appear to be owned by the same group, we do not know whether it is using the frog ransomware’s source code instead to design its own variant.
A Lorenz attack secures access to Windows domain administrator credentials by breaching a network and spreading laterally to devices. Those responsible for expanding the system will harvest some of the clients’ unencrypted files, which they upload to remote servers under their control. The resulting data is then provided on a dedicated data leak site for extortion or sold to other threat actors.
Unlike other ransomware gangs, the Lorenz gang operates differently. To compel victims to pay the ransom, Lorenz first makes the data available for sales to other malicious actors or potential competitors. A short time later, they begin releasing password-protected .rar archives containing the victim’s files. These files are unlike other industry-targeting ransomwares, since Lorenz didn’t shut down Windows services or kill processes before encrypting.
A ransom note will be placed on every folder where the victim’s files were missing. It includes the loss of their data as well as a link to the Lorenz data leak website and the Tor payment site where the victim can see their ransom demand.
Finally, if Lorenz receives the password for the data leak and the victim doesn’t fall into the hackers’ trap, the files will be made available for download online. According to Lorenz ransom notes seen by BleepingComputer, his ransom demands range from $500k to $700k.
As well, the ransomware attack is currently undergoing testing for weaknesses, and paying the ransom doesn’t guarantee any recoveries thanks to the possibility that certain information could end up for sale on the Dark Web.