Cyble-Blogs-Lorenz-Ransomware

Ransomware Extortion Techniques: A Growing Concern for Organizations

Lorenz Ransomware Group Joins ALPHV and LOCKBIT in Advanced Extortion Tactics

Several ransomware groups attempt to make their business model more profitable by adopting different extortion techniques. Some organizations often have more valuable data to lose and are more likely to pay the ransom to avoid the negative impact on their business. If victims refuse to pay, ransomware groups use different extortion techniques to pressure their victims to pay the ransom quickly.

Initially, ransomware groups used double extortion as a tactic, where they would steal sensitive data and then encrypt it, threatening to release the stolen data if the victim failed to pay the ransom on their leak site or cybercrime forums. However, some groups have since evolved to use triple extortion, which includes not only stealing and encrypting data but also launching Distributed Denial of Service (DDoS) attacks on victims.

This DDoS attack causes an interruption of normal traffic to the victim’s website, causing more damage to the victim’s business. Additionally, groups like CLOP have taken extortion a step further by contacting the victim’s clients directly via email about the attack, causing further reputational damage and potentially losing future business.

Cyble Research and Intelligence Labs (CRIL) reported on several new extortion techniques adopted by prominent ransomware groups. In the first half of 2022, ALPHV ransomware added two new extortion techniques to its arsenal. This group created a typosquatted domain of its victim and used that to leak the victim’s data.

Later, this group created a searchable database of its victim’s stolen data. Using this database, anyone could search for keywords in the victim’s sensitive data without downloading it. It allows the group to increase the pressure on the victim to pay the ransom by showing that the data is easily accessible and searchable.

The ALPHV ransomware group has taken the extortion technique to a new level by creating a website with the same user interface as the victim’s; this suggests that the group is actively adding this technique to its arsenal for targeting victims. This kind of website is called “mirror-site” and it’s used to mimic the victim’s website. Creating a mirror site is a highly effective way of convincing the victim that they have no choice but to pay the ransom.

The figure below shows the post made by the ALPHV ransomware group on their leak site mentioning the typo squatted domain.

Figure 1 – Leaksite mentioning the typosquatted domain

Lorenz Ransomware

CRIL came across a post made by the Lorenz ransomware group on their leak site, which references a domain name similar to the victim’s domain name. It also revealed information about the negotiations between the group and the victim’s organization. It appears that the Lorenz ransomware group also contacted the victim’s clients and employees regarding the ransomware attack. This victim was mentioned at the leak site on January 10, 2023.

The figure below shows the post made by Lorenz ransomware.

Figure 2 – Post Made by Lorenz Ransomware

Further investigations revealed that the domain created by the Lorenz group was utilized to share the stolen data of the victim publicly. The group has reportedly posted over 500GB of data on this domain. This tactic of leaking stolen data to increase pressure on the victim is also commonly used by the ALPHV ransomware group.

The figure below shows the domain created by Lorenz ransomware.

Figure 3 – Domain Created by Lorenz Ransomware

The Lorenz ransomware group also leaked the victim’s negotiation chats. This tactic has been previously observed by other ransomware groups such as LOCKBIT. The leaked negotiations suggest that the Lorenz ransomware group also contacted the victim’s clients and employees about the attack. It can further damage the company’s reputation and increase the perceived urgency of the ransom demand.

The figure below shows the leaked negotiation chats by Lorenz ransomware.

Figure 4 – Leaked Negotiation Chats

Conclusion

Ransomware groups are known for constantly evolving tactics to increase their chances of success and profits. It includes using different extortion techniques to threaten victims, such as creating typosquatted domains, leaking negotiation chats, and contacting the victim’s clients and employees. These attacks can severely damage the victim organization’s reputation and cause financial losses.

It’s also important to note that data exfiltrated during ransomware attacks often contains sensitive information such as PII and plain-text passwords, which other threat actors can use for further attacks.

To protect against these risks, organizations must take a proactive approach to monitor third-party data leaks and implement strong cybersecurity measures to prevent ransomware attacks. It’s also crucial to have an incident response plan to respond effectively to such attacks if they occur.

Our Recommendations 

  • Monitor typosquatted domains for effective brand monitoring.
  • Determine which systems were impacted and immediately isolate them.
  • Consult with your incident response team to develop and document an initial understanding of what has occurred based on the initial analysis.
  • Organizations should monitor third-party breaches.  
  • Conduct security awareness training frequently for the employees of the organization.  
  • Segment the organization’s ecosystem to obfuscate access to all sensitive resources.  
  • Organizations are advised to secure all third-party systems to prevent vulnerable third parties from becoming attack vectors.  
  • Never open untrusted links and suspicious email attachments without verifying their authenticity.   
  • Back up data on different locations and implement Business continuity planning (BCP).  
  • Implement Data loss prevention (DLP), Anti-virus, Endpoint detection and response (EDR), Security Information and Event Management (SIEM), and other security solutions.  
  • Regularly perform audits and Vulnerability Assessment and Penetration Testing (VAPT) of organizational assets, including network and software.  
  • Implement a strict Identity and Access Management (IAM) policy.

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top