Back
Global Threat Intelligence
Digital Forensics and Incident Response (DFIR)
Threat Intelligence
Uncategorized
February 22, 2024
4 mins read
Author: Zaid Baksh
In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.
Recent investigations by NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have uncovered significant deviations in Lorenz’s Tactics, Techniques, and Procedures (TTPs), shedding light on the group’s evolving strategies.
Key TTP changes:
- New encryption extension – .sz41
- Random strings for file and schedule task names
- Binaries to create local admin accounts for persistence
- Scheduled tasks to conduct enumeration
- New encryption method – DLL – RSA using current time epoch as seed (predictable)
Changing Encryption Extensions
One notable shift observed in Lorenz’s recent activities is a change in their encryption extension. Previously, the group used the extensions ‘Lorenz.sz40’ or ‘.sz40’; however, during the recent compromise, a new extension, ‘.sz41,’ was identified. While seemingly minor, these extensions often serve as the group’s signature, making this change noteworthy. A change in the encryption extension can also indicate a change in the encryption methods being used.
File and Task Naming Conventions
During the investigation, the threat actor preferred the use of randomly generated strings, such as ‘[A-Z]{0-9},’ for file names and scheduled tasks. This includes the ransom note, now named ‘HELP__[A-Za-z]{0-9}__HELP.html,’ in contrast to the previously reported ‘HELP_SECURITY_EVENT.html.’ This demonstrates the group’s adaptability and attempts to subvert known Indicators of Compromise.
Malicious File: Wininiw.exe
A key discovery during the investigation was the presence of ‘Wininiw.exe’ in the ‘C:\Windows\*’ directory on compromised systems. The threat actor utilized this executable to modify the local Windows Registry, creating a new user with a specified password, and adding it to the Administrator group. Although the threat actor already had Administrator privileges, the creation of a new user may serve as a backup persistence mechanism.
Scheduled Tasks
To conduct enumeration, the threat actor utilized Scheduled Tasks to execute command prompt to run built-in commands. These commands matched previously reported TTPs, and primarily consisted of searching the device for cleartext passwords and dumping the result to C:\Windows\Temp. It is likely the threat actor used Scheduled Tasks to automate enumeration and to ensure their commands were being executed with SYSTEM privileges.
Encryption
We observed the threat actor employing a DLL titled ‘[A-Z]{0-9}.sz41,’ positioned within the ‘C:\Windows\*‘ directory. This DLL was responsible for both the encryption process and the creation of the ransom note. Notably, the encryption technique deviated from previously documented methods.
In this instance, the threat actor employed the current epoch time as a seed for a random number generator, which was subsequently used to generate a passphrase and then derive the encryption key. It is worth noting that this approach introduces a level of predictability to the encryption key if the period during which the encryption occurred is known. The DLL also contained a significant amount of redundant code, which does not execute, indicating this DLL has been iterated upon and possibly customized depending on the victim’s environment.
As ransomware gangs continue to evolve their tactics, organisations must remain vigilant and adapt their cybersecurity strategies accordingly. The recent investigation by NCC Group underscores the importance of continuous monitoring and analysis to stay ahead of ransomware threats. By understanding the evolution of Lorenz’s recent activities, organisations and cyber defenders can be better prepared to identify ransomware precursors and mitigate the risk associated with ransomware groups.
Indicators of Compromise
| IoC | Type |
| “cmd.exe” /Q /C (copy \\<Domain>\NETLOGON\report.txt c:\Windows\WinIniw.exe dir dir start /b c:\Windows\WinIniw.exe dir) | Command |
| cmd.exe /c bcdedit /set {default} safeboot network | Command |
| “cmd.exe” /Q /C dir shutdown /r /t 600 dir | Command |
| “cmd.exe” /Q /C del c:\Windows\Wininiw.exe | Command |
| “cmd.exe” /C dir D:\ /s/b |findstr pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1 | Command |
| “cmd.exe” /C dir D:\ /s/b |grep pass > C:\Windows\Temp\[A-Za-z].tmp 2> 1 | Command |
| “cmd.exe” /C dir C:\Windows\ /s/b |findstr .sz4 > C:\Windows\Temp\[A-Za-z].tmp 2> 1 | Command |
| cmd.exe /c schtasks /Create /F /RU Users /SC WEEKLY /MO 1 /ST 10:30 /D MON /TN “GoogleChromeUpdates” /TR | Command – Scheduled Task within .sz41 DLL |
| Wininiw.exe | Malicious Executable |
| [A-Z]{0-9}.sz41 | Malicious Executable |
| .sz41 | Encryption extension |
| HELP__[A-Za-z]{0-9}__HELP.html | Ransom note |
| IThelperuser | Username |
| !2_HelpEr_E!2_HelpEr_E | Password |
| 165.232.165.21549.12.121.47168.100.9.216174.138.25.242143.198.207.6134.209.96.37 | FZSFTP – IP AddressesPort: 443 (HTTPS) |
| 167.99.6.112 | FZSFTP – IP AddressPort: 22 (SSH) |
| GoogleChromeUpdates | Scheduled Task Name within .sz41 DLL |
| \[A-Za-z] | Scheduled Task Name |
| lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd[.]onion | Lorenz Darkweb Website |
If you think your organisation may have been compromised reading any of the above indicators, please contact our 24/7 Cyber Incident Response Team immediately to conduct an assessment.
Published by Global Threat Intelligence
Published by Global Threat Intelligence
View all posts by Global Threat Intelligence ->
Here are some related articles you may find interesting
Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…
Reverse Engineering
Tool Release
May 7, 2024
6 mins read
Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…
Digital Forensics and Incident Response (DFIR)
Fox-IT and European Research
Vulnerability Research
April 25, 2024
7 mins read
During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…
Public Reports
April 12, 2024
1 min read
Previous post Next post
View articles by category
-
-
Academic Partnership (3)
-
Annual Research Report (3)
-
Asia Pacific Research (1)
-
-
Blockchain (5)
-
Books (17)
-
Business Insights (6)
-
-
Cloud Security (18)
-
Conferences (37)
-
Corporate (7)
-
Cryptography (115)
-
CTFs/Microcorruption (1)
-
Current events (1)
-
Cyber as a Science (6)
-
Cyber Security (403)
-
Detection and Threat Hunting (16)
-
Digital Forensics and Incident Response (DFIR) (23)
-
Disclosure Policy (1)
-
Emerging Technologies (12)
-
Engineering (5)
-
Fox-IT (18)
-
Fox-IT and European Research (8)
-
-
-
Intern Projects (2)
-
iSec Partners (52)
-
Machine Learning (29)
-
-
-
North American Research (28)
-
-
-
Patch notifications (35)
-
Presentations (55)
-
protocol_name (1)
-
Public interest technology (1)
-
Public interest technology (10)
-
Public Reports (52)
-
Public tools (105)
-
Reducing Vulnerabilities at Scale (22)
-
Research (366)
-
Research Paper (20)
-
Resources (1)
-
Reverse Engineering (49)
-
-
Standards (13)
-
Technical advisories (219)
-
Technology Policy (1)
-
Threat briefs (3)
-
Threat Intelligence (69)
-
Tool Release (108)
-
Transport (16)
-
Tutorial/Study Guide (47)
-
UK Research (10)
-
Uncategorized (28)
-
-
VSR (32)
-
Vulnerability (168)
-
Vulnerability Research (8)
-
Whitepapers (239)
Most popular posts
Most recent posts
- Ghidra nanoMIPS ISA module
- Sifting through the spines: identifying (potential) Cactus ransomware victims
- Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis
- Non-Deterministic Nature of Prompt Injection
- Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)
Call us before you need us.
Our experts will help you.
Get in touch
