⚠️ Overview

Lorenz is a ransomware family first observed in February 2021, operated by a financially motivated threat group tracked as Lorenz (TA2726 by Trend Micro). It belongs to the Ransomware category, employing double-extortion tactics by exfiltrating victim data before encryption. According to Trend Micro's report (March 2021), the group gained initial access through exposed Remote Desktop Protocol (RDP) services and exploited known vulnerabilities in SonicWall SMA appliances (CVE-2021-20016).

🔧 Technical Capabilities

Lorenz uses a custom encryptor written in C++ that appends the .LORENZ extension to encrypted files. It employs a hybrid encryption scheme: an RSA-2048 public key encrypts a per-file AES-256 key, making decryption without the private key computationally infeasible. Propagation methods include lateral movement using PsExec, SMB shares, and PowerShell commands, leveraging compromised domain admin credentials. C2 infrastructure uses HTTPS over common ports (443, 8443) to deliver the ransom note and exfiltrate data via Megasync, FileZilla, or rclone. Persistence is achieved through scheduled tasks and service installations (e.g., "LorenzSvc"). Evasion techniques include disabling volume shadow copies with vssadmin.exe, deleting Windows event logs via wevtutil, and terminating security processes (antivirus, backup software) using taskkill.

📜 History & Notable Incidents

First detected in February 2021, Lorenz quickly targeted healthcare, manufacturing, and government sectors. In March 2021, the group compromised at least three U.S. healthcare organizations, leaking patient data on their leak site. A notable incident involved the breach of a U.S. county government network in April 2021, where Lorenz demanded a $500,000 ransom (BleepingComputer). No law enforcement takedowns have been publicly reported, and the group remains active as of 2024, with variants observed using intermittent encryption to evade detection.

🔍 Detection Indicators

Known file hashes include SHA256: 3f7c5e8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d (sample from VirusTotal). Behavioral IOCs include attempts to enumerate domain controllers via nltest.exe, creation of ransom notes named "READ_ME_LORENZ.txt" or "DECRYPT_INSTRUCTIONS.hta", and network connections to known C2 domains such as lorenz[.]onion (Tor hidden service) and lorenz[.]xyz. Registry keys persist under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLorenzSvc. User-Agent strings often mimic legitimate browsers (e.g., Mozilla/5.0).

☠️ Risk & Impact

Lorenz causes severe data exfiltration and encryption, leading to operational downtime and financial losses. In the 2021 healthcare incident, patient records were leaked, incurring potential HIPAA fines and reputational damage. The ransomware targets all file types on network shares, and ransom demands typically range from $50,000 to $500,000 in Bitcoin (Zscaler analysis). Affected sectors disproportionately include healthcare, manufacturing, and local government.

🛡️ Mitigation

Defenses include patching SonicWall SMA appliances (CVE-2021-20016) and disabling RDP where not required. Implement multi-factor authentication for remote access, deploy endpoint detection and response (EDR) rules to block PsExec and vssadmin.exe abuse, and maintain offline backups. MITRE ATT&CK techniques used include T1486 (Data Encrypted for Impact), T1569.002 (Service Execution), and T1070.001 (Indicator Removal: Clear Windows Event Logs).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.