From the Labs: YARA Rule for Detecting Lorenz

ReversingLabs analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment.

Lorenz: A Persistent, Money-Driven Operation

The Lorenz ransomware operation has been active since April of 2021, and has been attacking victims globally since. Like other “double extortion” ransomware groups, Lorenz steals data from its ransomware victims and operates a leak site where they publish their victims’ data, showing proof that they infiltrated their networks.

This operation is unique, compared to other ransomware gangs, in that it initially makes the stolen data available for sale to other threat actors or possible competitors while also demanding a ransom from the victim. Lorenz does this by releasing password-protected RAR archives containing the victim’s data. The group will then publicly release the password for the data leak archives if the victim did not pay the ransom and if the data was not purchased by another entity.

Another differentiating factor that makes Lorenz stand out in the ransomware field is that it sells data on its victims’ internal networks, which some actors find to be of more value than a victim’s data, according to BleepingComputer’s analysis of Lorenz’s leak site.

Deploying the Ransomware

According to researcher Michael Gillespie of ID Ransomware, the encryptor that Lorenz uses is the same one that ThunderCrypt, a previous ransomware group, used in their attacks. It is not known however if these groups are related, or if Lorenz purchased the ransomware source code to create its own variant, according to BleepingComputer.

Based on 2021 samples seen by BleepingComputer, the ransomware operation customizes the malware executable for the specific victim they are targeting, taking a more targeted approach. Lorenz then uses AES encryption once it infects a network, as well as an embedded RSA key to encrypt the encryption key. All encrypted files are then given the .Lorenz.sz40 extension. In one of the samples BleepingComputer analyzed, they found that Lorenz did not kill processes or shut down Windows services before encrypting the network’s files.

Once the encryption stage is complete, all of the folders on a victim’s computer will become ransom notes named HELP_SECURITY_EVENT.html, containing information about how the victim’s files were encrypted. The information also includes the link to Lorenz’s leak site and a unique Tor payment site where victims can pay the demanded ransom, according to the sample seen by BleepingComputer.

Lorenz Exploits Vulnerability in Phone System Software

Several months after its inception, the Lorenz operation had found a new attack avenue to exploit. Based on research from Arctic Wolf Labs, the operation used a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises. The vulnerability, CVE-2022-29499, is a remote code execution vulnerability that allows the threat actor to obtain a reverse shell, followed by using Chisel as a tunneling tool to pivot into the victim’s environment.

Security expert Kevin Beumont told BleepingComputer that this new attack avenue would open Lorenz up to over 19,000 devices, with many of these products being used by organizations in critical sectors worldwide. Mitel did release security patches for the vulnerability in June 2022, but new evidence shows that patching alone did not stop Lorenz from attacking impacted enterprises.

In January 2023, researchers at S-RM discovered that Lorenz was able to use the same Mitel vulnerability to plant a backdoor, and months later the group used its access to move laterally in the victim’s network, stealing data and encrypting systems. The hackers managed to move quickly by exploiting the vulnerability before the patch was made, allowing Lorenz to gain initial access, and wait five months before actually stealing data from the victim’s network.

S-RM researchers believe the five month dormancy period could suggest that Lorenz purchased their access to the victim network through a broker. BleepingComputer shared another theory that Lorenz has a dedicated branch of staff that has the duty of maintaining initial access, protecting it against possible hijacking by other intruders.

Based on the operation’s efforts to exploit the Mitel vulnerability, it’s clear that Lorenz is open to using creative and unique means to exploit a range of global victims. Exploiting a vulnerability in a VOIP service and waiting to carry out the attack for five months is an unusual route of action for ransomware groups. However, this out-of-ordinary approach, when compared to more typical attack routes like phishing emails, made the group successful in a year where ransomware operations saw a decrease in profits, weakening many of these operations.

A Series of Global Victims

Back in April 2021, Lorenz managed to attack at least 12 victims globally. In this same timeline of initial attacks, Lorenz demanded ransoms from victims that ranged from $500,000-700,000, according to ransom notes seen by BleepingComputer.

Later in September 2022, BleepingComputer reported that the group’s list of victims included Hensoldt, a multinational defense contractor based in Germany, and Canada Post, Canada’s primary postal operator.

Shortly after, the U.S. Department of Health and Human Services Cybersecurity Coordination Center warned large, enterprise healthcare organizations of the threat posed by Lorenz specifically. The warning came about as a result of Lorenz targeting victims in both the healthcare and public health sectors, according to SC Media.

Lorenz poses a serious threat, not only because it has proven attack abilities, but also because of the group’s interest in targeting critical infrastructure organizations globally. Critical services that nations depend on are at risk of not just financial and reputational burdens, but also of inhibiting societal stability if they are unable to provide their services.

Detecting Lorenz

Considering the longstanding place that Lorenz has in the ransomware landscape and its focus on targeting critical infrastructure, it is more important than ever for organizations to stay vigilant and defend themselves against this threat. ReversingLabs’ Lorenz YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives.

Download the Lorenz YARA Rule here:

Win32.Ransomware.Lorenz.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.

The Work Doesn’t Stop Here

ReversingLabs team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.