Unmasking Lorenz Ransomware: A Dive into Recent Tactics and Techniques
In an age where digital security threats are continuously morphing, ransomware attacks have cemented themselves as a formidable challenge, especially for small to medium businesses worldwide. A significant player in this landscape, the Lorenz ransomware group, has been on the radar of cybersecurity firms for its malicious activities. Since its emergence in early 2021, Lorenz has been notorious for its double-extortion tactics—stealing sensitive information before encrypting victims’ systems and then demanding a ransom to prevent the public release of the stolen data.
Recent insights from NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have unveiled the group’s evolving methodologies, marking a significant shift in their approach to executing cyberattacks.
Emerging Patterns and Innovations in Lorenz’s Arsenal
The adjustments in Lorenz’s modus operandi encompass several key areas, from encryption extensions to more sophisticated persistence mechanisms. Here’s an overview of the notable changes identified:
Changing Encryption Extensions
A pivotal discovery was the shift in encryption extensions used by Lorenz. Historically, the ‘.sz40’ extension marked the encrypted files. However, recent incidents have seen the emergence of a new extension—.sz41. This alteration is not merely cosmetic; it signals potential changes in the encryption technology employed by the ransomware.
Randomized Naming Conventions
Another layer of complexity is added with the introduction of randomly generated strings for naming files and scheduled tasks. This includes a change in the naming convention for ransom notes, which are now titled ‘HELP__[A-Za-z]{0-9}__HELP.html’. This represents a calculated effort to evade detection by masking common indicators of compromise.
Malicious Executables and User Creation
One of the more alarming tactics involves the ‘Wininiw.exe’ executable found lurking in the ‘C:\Windows\*’ directory of affected systems. This malicious file is designed to tamper with the local Windows Registry to create new user accounts with administrative privileges, adding an extra layer of persistence for the attackers.
Scheduled Tasks for Enumeration
The investigation also uncovered the use of Scheduled Tasks by Lorenz to run command-line operations for system enumeration. This approach allows the ransomware to automate the search for valuable information, such as cleartext passwords, enhancing the efficiency of data theft.
An Evolution in Encryption Tactics
The DFIR team observed a significant evolution in Lorenz’s encryption methods. The group now utilizes a DLL for encryption, employing the current epoch time as a seed for a random number generator. This method, while introducing predictability into the encryption process, marks a departure from previous encryption techniques used by the group.
Conclusion: A Call for Vigilance
The continuous evolution of ransomware tactics underscores the need for organizations to remain alert and proactively update their cybersecurity defenses. Lorenz’s recent shift in strategies highlights the persistent threat landscape and the importance of staying informed about the latest cyberattack trends.
For organizations and cybersecurity professionals, understanding these changes is crucial for enhancing preparedness against Lorenz and similar ransomware threats. Continuous monitoring, coupled with an in-depth analysis of emerging tactics, is essential for mitigating the risks posed by these cybercriminals.
Indicators of Compromise (IoCs)
To assist in the early detection and response to Lorenz ransomware activities, here are some key IoCs identified in recent investigations:
- Commands: Inclusion of specific command-line operations related to systems configuration and file deletion.
- Malicious Executables: The presence of ‘Wininiw.exe’ and DLL files associated with Lorenz’s encryption process.
- Encryption Extension: Identification of the ‘.sz41’ extension indicating Lorenz encryption.
- Ransom Note: Detection of ransom notes with a randomized naming convention ‘HELP__[A-Za-z]{0-9}__HELP.html’.
- Scheduled Tasks: The creation of tasks with randomly generated or suspicious names, tied to Lorenz’s operational patterns.
- Network Indicators: Specific IP addresses and ports associated with Lorenz’s command and control servers.
By staying abreast of Lorenz’s ever-evolving TTPs and maintaining robust cybersecurity measures, organizations can significantly reduce their vulnerability to these threats. The cybersecurity community’s ongoing efforts to analyze and publicize these findings are pivotal in the collective fight against ransomware.
