In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.
Recent investigations by NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have uncovered significant deviations in Lorenz’s Tactics, Techniques, and Procedures (TTPs), shedding light on the group’s evolving strategies.
Key TTP changes:
- New encryption extension – .sz41
- Random strings for file and schedule task names
- Binaries to create local admin accounts for persistence
- Scheduled tasks to conduct enumeration
- New encryption method – DLL – RSA using current time epoch as seed (predictable)
Changing Encryption Extensions
One notable shift observed in Lorenz’s recent activities is a change in their encryption extension. Previously, the group used the extensions ‘Lorenz.sz40’ or ‘.sz40’; however, during the recent compromise, a new extension, ‘.sz41,’ was identified. While seemingly minor, these extensions often serve as the group’s signature, making this change noteworthy. A change in the encryption extension can also indicate a change in the encryption methods being used.
File and Task Naming Conventions
During the investigation, the threat actor preferred the use of randomly generated strings, such as ‘[A-Z]{0-9},’ for file names and scheduled tasks. This includes the ransom note, now named ‘HELP__[A-Za-z]{0-9}__HELP.html,’ in contrast to the previously reported ‘HELP_SECURITY_EVENT.html.’ This demonstrates the group’s adaptability and attempts to subvert known Indicators of Compromise.
Malicious File: Wininiw.exe
A key discovery during the investigation was the presence of ‘Wininiw.exe’ in the ‘C:\Windows\*’ directory on compromised systems. The threat actor utilized this executable to modify the local Windows Registry, creating a new user with a specified password, and adding it to the Administrator group. Although the threat actor already had Administrator privileges, the creation of a new user may serve as a backup persistence mechanism.
Scheduled Tasks
To conduct enumeration, the threat actor utilized Scheduled Tasks to execute command prompt to run built-in commands. These commands matched previously reported TTPs, and primarily consisted of searching the device for cleartext passwords and dumping the result to C:\Windows\Temp. It is likely the threat actor used Scheduled Tasks to automate enumeration and to ensure their commands were being executed with SYSTEM privileges.
Encryption
We observed the threat actor employing a DLL titled ‘[A-Z]{0-9}.sz41,’ positioned within the ‘C:\Windows\*‘ directory. This DLL was responsible for both the encryption process and the creation of the ransom note. Notably, the encryption technique deviated from previously documented methods.
In this instance, the threat actor employed the current epoch time as a seed for a random number generator, which was subsequently used to generate a passphrase and then derive the encryption key. It is worth noting that this approach introduces a level of predictability to the encryption key if the period during which the encryption occurred is known. The DLL also contained a significant amount of redundant code, which does not execute, indicating this DLL has been iterated upon and possibly customized depending on the victim’s environment.
As ransomware gangs continue to evolve their tactics, organizations must remain vigilant and adapt their cybersecurity strategies accordingly. The recent investigation by NCC Group underscores the importance of continuous monitoring and analysis to stay ahead of ransomware threats. By understanding the evolution of Lorenz’s recent activities, organizations and cyber defenders can be better prepared to identify ransomware precursors and mitigate the risk associated with ransomware groups.
Indicators of Compromise
1. IoC: “cmd.exe” /Q /C (copy \\
Type: Command
2. IoC: cmd.exe /c bcdedit /set {default} safeboot network
Type: Command
3. IoC: “cmd.exe” /Q /C dir shutdown /r /t 600 dir
Type: Command
4. IoC: “cmd.exe” /Q /C del c:\Windows\Wininiw.exe
Type: Command
5. Ioc: “cmd.exe” /C dir D:\ /s/b |findstr pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1
Type: Command
6. IoC: “cmd.exe” /C dir D:\ /s/b |grep pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1
Type: Command
7. IoC: “cmd.exe” /C dir C:\Windows\ /s/b |findstr .sz4 > C:\Windows\Temp\[A-Za-z].tmp 2> 1
Type: Command
8. IoC: cmd.exe /c schtasks /Create /F /RU Users /SC WEEKLY /MO 1 /ST 10:30 /D MON /TN “GoogleChromeUpdates” /TR
Type: Command – Scheduled Task within .sz41 DLL
9. IoC: Wininiw.exe
Type: Malicious Executable
10. IoC: [A-Z]{0-9}.sz41
Type: Malicious Executable
11. IoC: .sz41
Type: Encryption extension
12. IoC: HELP__[A-Za-z]{0-9}__HELP.html
Type: Ransom note
13. IoC: IThelperuser
Type: Username
14. IoC: !2_HelpEr_E!2_HelpEr_E
Type: Password
15. IoC: 165.232.165.215 49.12.121.47 168.100.9.216 174.138.25.242 143.198.207.6 134.209.96.37
Type: FZSFTP – IP Addresses Port: 443 (HTTPS)
16. IoC: 167.99.6.112
Type: FZSFTP – IP Address Port: 22 (SSH)
17. IoC: GoogleChromeUpdates
Type: Scheduled Task Name within .sz41 DLL
18. IoC: \[A-Za-z]
Type: Scheduled Task Name
19. IoC: lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion
Type: Lorenz Darkweb Website
