Skip links

Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts

The Lorenz ransomware group leaked the details of every person who contacted it via its online contact form over the course of the last two years.

A security researcher noticed Lorenz’s dark web victim blog was leaking backend code, pulled the data from the site, and uploaded to it a public GitHub repository.

The data includes names, email addresses, and the subject line entered into the ransomware group’s limited online form to request information from Lorenz.

Sometime over the course of the last month, someone on the Lorenz team misconfigured their Apache2 web server, causing their login form to leak backend PHP code

A subset of the individuals included in the breach were approached by The Register and all confirmed they had contacted Lorenz in the past two years.

Data entries included in the leak date back to June 3, 2021, and end on September 17, 2023 – the date the contact form broke.

Security firm Cybereason previously asserted that the Lorenz group was first observed in February 2021, meaning the leaked data almost spans the entire time the group has existed.

Htmalgae, the online handle of the professional security researcher who found and published the leak on the clear web, exclusively told The Register that the leak was due to a misconfigured Apache2 server.

Code editor showing the PHP code leaked by Lorenz's ransomware blog

Code editor showing the PHP code leaked by Lorenz’s ransomware blog

“Sometime over the course of the last month, someone on the Lorenz team misconfigured their Apache2 web server, causing their login form to leak backend PHP code.

“It was probably one of the easiest leaks I’ve discovered so far. During my daily sweep of all the ransomware shame sites, I came across Lorenz’s broken contact form. It was really as simple as viewing the source on the page and copy-pasting the leaked file path. It was pretty much placed in my lap, I didn’t even need to do a vulnerability scan.”

According to htmalgae, Lorenz closed access to its online contact form, preventing contact attempts using it, but the root issue “has not been addressed.”

At the time of writing, Lorenz’s website and online contact form are still accessible, and users can submit requests, but they are not actually being sent to the group at this time.

Screenshot of the Lorenz ransomware groups' online contact portal

Screenshot of the Lorenz ransomware groups’ online contact portal

The Lorenz discovery marks a rare occurrence of a ransomware group leaking data against their schedule.

Publishing data belonging to victims they have failed to extort is a common practice of ransomware criminals, but many of those involved in the latest leak weren’t victims of ransomware encryption.

Most had their identities masked behind fake names and obscure Proton Mail email addresses – a platform favored by many dark web users – but some included details that identified them personally. These included reporters, those working in financial services, and security researchers, among others.

What is the Lorenz ransomware group?

First observed in early 2021, the Lorenz ransomware is believed by experts to be a rebrand of the .sZ40 strain discovered in October 2020, which in turn is linked with the ThunderCrypt strain of 2017. The group’s victim blog also shows ‘.sZ40’ written across its homepage banner.

Like many leading ransomware operations, Lorenz is known for using a double-extortion model in attacks whereby they steal data before encrypting victims’ devices, holding both their data and systems to ransom.

This approach is designed to mitigate the possibility of victims simply restoring from backups and not having to pay the ransom demands for unlocking access to devices.

One of its most notorious attacks took place last year when it was observed exploiting a vulnerability in Mitel’s VoIP systems, tracked as CVE-2022-29499, to break into organizations and encrypt their data using Microsoft’s BitLocker Drive Encryption.

Cybereason categorizes the group’s threat level as “high” due to the destructive nature of their attacks. Lorenz is also thought to be a sophisticated operation, with the individuals involved typically investing “a lot of effort into their attacks,” including custom binaries for nearly every attack.

“They study their target’s employees, suppliers, and partners. This way, the Lorenz group can even go from one, already compromised victim to another. The knowledge they have collected is used to customize the attack specifically for the target,” Cybereason said.

In addition to double-extortion activities, Lorenz is also known for acting as an initial access broker (IABs), selling the access it secures to corporate networks to other cybercriminals who can then launch additional attacks.

SentinelOne said Lorenz relied on IABs in the past to launch its own attacks, as well as acting as one itself.

Lorenz isn’t among the most prolific ransomware groups in operation, failing to appear in any of the top rankings for 2023.

It only posted 16 victims to its leak site in 2023, including those whose identities were kept anonymous due to the ransom being paid. By contrast, AlphV/BlackCat posted 13 victims in just the past seven days. ®