CarderPlanet
Professional
The data of everyone who tried to contact hackers for 2 years was made publicly available.
The Lorenz ransomware group inadvertently exposed the data of all the people who tried to contact it via an online form on a dark site over the past two years. This data includes names, email addresses, and query topics.
The problem was discovered by a security researcher known under the pseudonym Htmalgae. He fixed the backend code leak and published the extracted information on GitHub .
The incident was caused by an error in the settings of the Apache2 web server on the part of the Lorenz team.
"Someone from Lorenz made a mistake in the Apache2 web server settings. This led to the leak of the authorization form disclosure, " Htmalgae explains. "This leak is probably one of the simplest I've ever found. I discovered a faulty Lorenz feedback form during my daily review of ransomware sites. All I had to do was look at the source code of the page and copy the address of the leaked file."
Htmalgae also clarified that Lorenz temporarily closed access to its contact form, but the main problem "remained unresolved." The site is still functioning, and users can send requests (although they no longer reach hackers).
The very fact of a leak can undermine the group's reputation in the cybercrime world and lead to arrests.
Lorenz first appeared on the radar of experts in 2021. There is a version that their ransomware software is a modification of the .sZ40 strain, discovered in October 2020. This strain, in turn, is linked to the 2017 ThunderCrypt program.
Hackers often use a tactic known as"double ransom." After files are compromised, the devices themselves are encrypted. This approach does not allow the victim to restore information using backups, avoiding negotiations with criminals.
The group is also known as an initial access broker (IAB). In simple words, it sells access to the corporate networks of the attacked companies to other cybercriminals.
Cybereason rates the threat level coming from Lorenz as "high", emphasizing the destructive nature of their actions. It is said that hackers use particularly sophisticated methods, finding a "special approach"to each company.
However, in 2023, despite its activity, Lorenz did not get into any of the top extortionist groups. In 10 months, only 16 victims were posted on their website.
The Lorenz ransomware group inadvertently exposed the data of all the people who tried to contact it via an online form on a dark site over the past two years. This data includes names, email addresses, and query topics.
The problem was discovered by a security researcher known under the pseudonym Htmalgae. He fixed the backend code leak and published the extracted information on GitHub .
The incident was caused by an error in the settings of the Apache2 web server on the part of the Lorenz team.
"Someone from Lorenz made a mistake in the Apache2 web server settings. This led to the leak of the authorization form disclosure, " Htmalgae explains. "This leak is probably one of the simplest I've ever found. I discovered a faulty Lorenz feedback form during my daily review of ransomware sites. All I had to do was look at the source code of the page and copy the address of the leaked file."
Htmalgae also clarified that Lorenz temporarily closed access to its contact form, but the main problem "remained unresolved." The site is still functioning, and users can send requests (although they no longer reach hackers).
The very fact of a leak can undermine the group's reputation in the cybercrime world and lead to arrests.
Lorenz first appeared on the radar of experts in 2021. There is a version that their ransomware software is a modification of the .sZ40 strain, discovered in October 2020. This strain, in turn, is linked to the 2017 ThunderCrypt program.
Hackers often use a tactic known as"double ransom." After files are compromised, the devices themselves are encrypted. This approach does not allow the victim to restore information using backups, avoiding negotiations with criminals.
The group is also known as an initial access broker (IAB). In simple words, it sells access to the corporate networks of the attacked companies to other cybercriminals.
Cybereason rates the threat level coming from Lorenz as "high", emphasizing the destructive nature of their actions. It is said that hackers use particularly sophisticated methods, finding a "special approach"to each company.
However, in 2023, despite its activity, Lorenz did not get into any of the top extortionist groups. In 10 months, only 16 victims were posted on their website.
