Cybersecurity specialists released a free decryptor for Lorenz ransomware

decryptor for Lorenz ransomware

Dutch company Tesorion has released a free decryptor for data affected by Lorenz ransomware attacks.

Now some files can be recovered for free, without paying the ransom.

Based on our analysis of the Lorenz ransomware we have come to the conclusion that we can decrypt (non-corrupted) affected files in some cases without paying the ransom.Tesorion security researcher Gijs Rijnders said.

Rijnders said the decrypter is not universal and will work only “in some cases.” However, this is more of a chance than many Lorenz victims have at recovering their files without paying hundreds of thousands of US dollars to the Lorenz gang.

Lorenz ransomware has been “operational” since April 2021 and attacked only corporate targets. During this time, on the website of its operators was published the data of twelve victims, whose information was stolen by hackers.

According to cybersecurity researchers, the ransomware code is based on the code of the old ThunderCrypt and SZ40 malware families.

decryptor for Lorenz ransomware

The decoder created by Tesorion can be downloaded from the NoMoreRansome website. Unlike other similar tools that usually work with the actual decryption key, this decryptor works differently and will only help you recover certain types of files.

In particular, it is possible to decrypt files with well-known structure, including Office documents, PDF files, and some types of images and movies. Unfortunately, Tesorion will not cope with files of unknown types or with an unusual structure.

The researchers also published information on the encryption technique that Lorenz uses.

The company’s blog says that an error was discovered in the hackers’ code that could lead to data loss and prevent files decryption, even if a ransom was paid to the attackers.

As a result of this error, for every file that is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to get a decoder from the malware authors, these bytes can no longer be recovered.the experts explain.

Let me remind you that I also talked about the fact that FonixCrypter ransomware stopped working and published a key to decrypt data.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *