A new ransomware gang has been detected to target various organizations globally with their customized attacks. The ransomware is dubbed Lorenz and it has started it operation last month. It has made a growing list of victims since then.
What has happened?
Researchers have found that this ransomware is almost same as another ransomware named ThunderCrypt. However, they are not sure if Lorenz is created by the same group or the source code of ThunderCrypt has been purchased by someone else.
- Lorenz starts with the breach of the network of the organization and then it spreads laterally to other devices until it gains the access to the credentials of Windows domain administrator.
- The ransomware collects information while spreading through the system, and upload it to the remote server.
- The ransomware does a process called double extortion, where they upload the stolen data to the dedicated data leak sites and pressurize the victim to y the ransom. Also, the data can be bought by other threat actors.
New way of leaking the stolen data-
Lorenz has devised an innovative trick to pressurize the victim to pay the ransomware-
- The stolen data is kept for sale by the threat actors by releasing password protected data for leak archives with the data of the victim.
- In case no ransomware is paid or the stolen data is not purchased by anyone, they make the data publicly available by releasing the password for the archive.
- They also sell the network of the victim along with the data, which sometimes can be more useful.
This new ransomware is spreading fast with high ransom demand and customized attack. They also sell access to breached networks. So, it is important for the security professionals to keep an eye out for this kind of threats.