Experts developed a free decryptor for the Lorenz ransomware

Researchers analyzed a recently discovered threat, the Lorenz ransomware, and developed a free decryptor for the victims of this new operation.

The Lorenz ransomware gang has been active since April and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransoms to the victims.

Like other ransomware gangs, Lorenz operators also implement double-extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Researchers from cybersecurity firm Tesorion analyzed the ransomware and developed a decryptor that in some cases could allow victims to decrypt their files for free. The security firm plans to release the decryptor through the NoMoreRansom initiative soon.

The Lorenz ransomware uses a combination of RSA and AES-128 in CBC mode to encrypt files, it uses a random generated password for each file, and an encryption key is then derived using the CryptDeriveKey function.

The ransomware is likely written in C++ using Microsoft Visual Studio 2015, the samples analyzed by the experts were all compiled with debug information making the analysis easier.

Lorenz creates a mutex called “wolf” at startup to ensure that it is executed only once at a time on the infected systems. Lorenz sends the name of the infected system to a C2 before encrypting the file.

“Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file. The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’.” reads the analysis published by Tesorion.

Experts found a bug in the encryption process, specifically in the usage of the CryptEncrypt function.

“The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered.” states the analysis.

Experts determined that they can decrypt (non-corrupted) affected files in some cases without paying the ransom.

The analysis also includes Indicators of compromise (IoCs) for this specific threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Crackonosh)

[adrotate banner=”5″]

[adrotate banner=”13″]