Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures

In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.  

Recent investigations by NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have uncovered significant deviations in Lorenz’s Tactics, Techniques, and Procedures (TTPs), shedding light on the group’s evolving strategies. 

Key TTP changes:

Changing Encryption Extensions 

One notable shift observed in Lorenz’s recent activities is a change in their encryption extension. Previously, the group used the extensions ‘Lorenz.sz40’ or ‘.sz40’; however, during the recent compromise, a new extension, ‘.sz41,’ was identified. While seemingly minor, these extensions often serve as the group’s signature, making this change noteworthy. A change in the encryption extension can also indicate a change in the encryption methods being used. 

Related:What Is Ransomware? How It Works and How To Prevent It

File and Task Naming Conventions 

During the investigation, the threat actor preferred the use of randomly generated strings, such as ‘[A-Z]{0-9},’ for file names and scheduled tasks. This includes the ransom note, now named ‘HELP__[A-Za-z]{0-9}__HELP.html,’ in contrast to the previously reported ‘HELP_SECURITY_EVENT.html.’ This demonstrates the group’s adaptability and attempts to subvert known Indicators of Compromise. 

Malicious File: Wininiw.exe 

A key discovery during the investigation was the presence of ‘Wininiw.exe’ in the ‘C:\Windows\*’ directory on compromised systems. The threat actor utilized this executable to modify the local Windows Registry, creating a new user with a specified password, and adding it to the Administrator group. Although the threat actor already had Administrator privileges, the creation of a new user may serve as a backup persistence mechanism. 

Scheduled Tasks 

To conduct enumeration, the threat actor utilized Scheduled Tasks to execute command prompt to run built-in commands. These commands matched previously reported TTPs, and primarily consisted of searching the device for cleartext passwords and dumping the result to C:\Windows\Temp. It is likely the threat actor used Scheduled Tasks to automate enumeration and to ensure their commands were being executed with SYSTEM privileges.  

Related:With Attacks on the Upswing, Cyber-Insurance Premiums Poised to Rise Too

Encryption 

We observed the threat actor employing a DLL titled ‘[A-Z]{0-9}.sz41,’ positioned within the ‘C:\Windows\*‘ directory. This DLL was responsible for both the encryption process and the creation of the ransom note. Notably, the encryption technique deviated from previously documented methods. 

In this instance, the threat actor employed the current epoch time as a seed for a random number generator, which was subsequently used to generate a passphrase and then derive the encryption key. It is worth noting that this approach introduces a level of predictability to the encryption key if the period during which the encryption occurred is known. The DLL also contained a significant amount of redundant code, which does not execute, indicating this DLL has been iterated upon and possibly customized depending on the victim’s environment. 

As ransomware gangs continue to evolve their tactics, organizations must remain vigilant and adapt their cybersecurity strategies accordingly. The recent investigation by NCC Group underscores the importance of continuous monitoring and analysis to stay ahead of ransomware threats. By understanding the evolution of Lorenz’s recent activities, organizations and cyber defenders can be better prepared to identify ransomware precursors and mitigate the risk associated with ransomware groups. 

Indicators of Compromise

1. IoC: “cmd.exe” /Q /C (copy \\<Domain>\NETLOGON\report.txt c:\Windows\WinIniw.exe dir dir start /b c:\Windows\WinIniw.exe dir) 

Type: Command

2. IoC: cmd.exe /c bcdedit /set {default} safeboot network 

Type: Command

3. IoC: “cmd.exe” /Q   /C dir shutdown /r /t 600 dir

Type: Command

4. IoC: “cmd.exe” /Q   /C del c:\Windows\Wininiw.exe 

Type: Command

5. Ioc: “cmd.exe” /C dir D:\ /s/b |findstr pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1

Type: Command

6. IoC: “cmd.exe” /C dir D:\ /s/b |grep pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1

Type: Command

7. IoC: “cmd.exe” /C dir C:\Windows\ /s/b |findstr .sz4 > C:\Windows\Temp\[A-Za-z].tmp 2> 1

Type: Command

8. IoC: cmd.exe /c schtasks /Create /F /RU Users /SC WEEKLY /MO 1 /ST 10:30 /D MON /TN “GoogleChromeUpdates” /TR

Type: Command – Scheduled Task within .sz41 DLL

9. IoC: Wininiw.exe 

Type: Malicious Executable 

10. IoC: [A-Z]{0-9}.sz41

Type: Malicious Executable 

11. IoC: .sz41

Type: Encryption extension 

12. IoC: HELP__[A-Za-z]{0-9}__HELP.html

Type: Ransom note 

13. IoC: IThelperuser 

Type: Username

14. IoC: !2_HelpEr_E!2_HelpEr_E

Type: Password

15. IoC: 165.232.165.215 49.12.121.47 168.100.9.216 174.138.25.242 143.198.207.6 134.209.96.37

Type: FZSFTP – IP Addresses Port: 443 (HTTPS)

16. IoC: 167.99.6.112

Type: FZSFTP – IP Address Port: 22 (SSH)

17. IoC: GoogleChromeUpdates 

Type: Scheduled Task Name within .sz41 DLL

18. IoC: \[A-Za-z] 

Type: Scheduled Task Name 

19. IoC: lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion

Type: Lorenz Darkweb Website