March 22, 2023

Hensoldt, a multinational defense contractor, confirmed that some of its UK subsidiary’s systems were infected with Lorenz ransomware. It’s been active since April last year and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransoms to the victims.


Lorenz operators also implement double-extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Hensoldt AG focuses on sensor technologies for protection and surveillance missions in the  defence,  security and aerospace sectors. The company is listed on the Frankfurt Stock Exchange, its main product areas are  radar,  optoelectronics, and avionics.

The company has classified and sensitive contracts with the US government, its products include and equip tanks, helicopter platforms, submarines, Littoral Combat Ships among others.

The Lorenz ransomware gang has already added the company name of the compromised organizations on its Tor leak site. The ransomware group claims to have already uploaded 95% of all stolen files to its leak site.


The gang labeled the archive file as “Paid,” this means that the Hensoldt one someone else has paid to avoid the files being leaked.

A decryptor is available that in some cases could allow victims to decrypt their files for free. 

Indicators of Compromise

  • 4b1170f7774acfdc5517fbe1c911f2bd9f1af498f3c3d25078f05c95701cc999
  • 71cdbbc62e10983db183ca60ab964c1a3dab0d279c5326b2e920522480780956
  • 157[.]90[.]147[.]28
  • 172[.]86[.]75[.]63C2

Leave a Reply

%d bloggers like this: