Researchers analyzed a recently discovered threat, the Lorenz ransomware, and developed a free decryptor for the victims of this new operation.
The Lorenz ransomware gang has been active since April and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransoms to the victims.
Like other ransomware gangs, Lorenz operators also implement double-extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.
Researchers from cybersecurity firm Tesorion analyzed the ransomware and developed a decryptor that in some cases could allow victims to decrypt their files for free. The security firm plans to release the decryptor through the NoMoreRansom initiative soon.
The Lorenz ransomware uses a combination of RSA and AES-128 in CBC mode to encrypt files, it uses a random generated password for each file, and an encryption key is then derived using the CryptDeriveKey function.
The ransomware is likely written in C++ using Microsoft Visual Studio 2015, the samples analyzed by the experts were all compiled with debug information making the analysis easier.
Lorenz creates a mutex called “wolf” at startup to ensure that it is executed only once at a time on the infected systems. Lorenz sends the name of the infected system to a C2 before encrypting the file.
“Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file. The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’.” reads the analysis published by Tesorion.
Experts found a bug in the encryption process, specifically in the usage of the CryptEncrypt function.
“The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered.” states the analysis.
Experts determined that they can decrypt (non-corrupted) affected files in some cases without paying the ransom.
The analysis also includes Indicators of compromise (IoCs) for this specific threat.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Crackonosh)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Researchers analyzed a recently discovered threat, the Lorenz ransomware, and developed a free decryptor for the victims of this new operation.
The Lorenz ransomware gang has been active since April and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransoms to the victims.
Like other ransomware gangs, Lorenz operators also implement double-extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.
Researchers from cybersecurity firm Tesorion analyzed the ransomware and developed a decryptor that in some cases could allow victims to decrypt their files for free. The security firm plans to release the decryptor through the NoMoreRansom initiative soon.
The Lorenz ransomware uses a combination of RSA and AES-128 in CBC mode to encrypt files, it uses a random generated password for each file, and an encryption key is then derived using the CryptDeriveKey function.
The ransomware is likely written in C++ using Microsoft Visual Studio 2015, the samples analyzed by the experts were all compiled with debug information making the analysis easier.
Lorenz creates a mutex called “wolf” at startup to ensure that it is executed only once at a time on the infected systems. Lorenz sends the name of the infected system to a C2 before encrypting the file.
“Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file. The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’.” reads the analysis published by Tesorion.
Experts found a bug in the encryption process, specifically in the usage of the CryptEncrypt function.
“The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered.” states the analysis.
Experts determined that they can decrypt (non-corrupted) affected files in some cases without paying the ransom.
The analysis also includes Indicators of compromise (IoCs) for this specific threat.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Crackonosh)