The Lorenz ransomware gang has been active since April. Lorenz operators implement double extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Researchers developed a decryptor that in some cases could allow victims to decrypt their files for free. The Lorenz ransomware uses a combination of RSA and AES-128 in CBC mode to encrypt files, it uses a random generated password for each file, and an encryption key is then derived using the CryptDeriveKey function.

The ransomware is likely written in C++ using Microsoft Visual Studio 2015, the samples analyzed by the experts were all compiled with debug information making the analysis easier.

Lorenz creates a mutex called “wolf” at startup to ensure that it is executed only once at a time on the infected systems. Lorenz sends the name of the infected system to a C2 before encrypting the file.

Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file. The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’.

There exist a bug in the encryption process which results for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered. If the file is not corrupted it can be recovered without paying the ransom.

Soon the Decryptor will be available in NomoreRansom forum.