New decryption tool will allow victims of Lorenz ransomware to recover their files without paying hackers

The operators of Lorenz, a group of ransomware hackers active since early 2021, have attacked dozens of companies around the world in just a few months, demanding ransoms of hundreds of thousands of dollars. This group also resorts to the technique of double extortion, stealing confidential information and then encrypting the affected systems to force companies to make payments of between $500,000 and $700,000 USD.

A few weeks ago researchers from the company Tesorion began analyzing a sample of this malware, which allowed them to develop a decryption tool that, in some cases, would allow victims to regain access to their files without having to negotiate with the attackers. This tool will be launched in conjunction with the NoMoreRansom project.

The experts also discovered that Lorenz operators employ a combination of RSA and AES-128 in CBC mode for the encryption of infected files, in addition to the ransomware generating a unique password for each file and deriving an encryption key using CryptDeriveKey. The research also mentions that the ransomware may be written in C++ using Microsoft Virtual Studio.

About how it works, the report notes that Lorenz employs a mutex identified as a “wolf” to ensure that it will only run once on the infected system. The ransomware sends the name of the files on the system to a C&C server before encrypting the file and subsequently places a header before the encrypted file.

This header contains the value .sz40 followed by the encryption key. After writing the encrypted file header, all files are encrypted in fairly small blocks of 48 bytes. Encrypted files receive the .Lorenz.sz40 extension.

Finally, the experts found a flaw in the CryptEncrypt function during the encryption process: “As a result of this error, for every file whose size is a multiple of 28 bytes, the last 48 bytes will be lost. This information will be lost in even if you use the decryption tool sent by the hackers,” the experts mention.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.