Lorenz ransomware decryptor recovers victims’ files for free

Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom.

Lorenz is a human-operated ransomware that began operating in April 2021 and has since listed twelve victims whose data they have stolen and leaked on their ransomware data leak site.

​

Lorenz is not particularly active and has begun to taper off in recent months compared to other operations.

Lorenz ransomware decryptor released

The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files.

Unlike other ransomware decryptors that include the actual decryption key, Tesorion’s decryptor operates differently and can only decrypt certain file types.

Tesorion researcher Gijs Rijnders told BleepingComputer that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files.

While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files.

As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures.

In addition to providing a decryptor, Tesorion provided insight into the encryption technique used by the Lorenz ransomware.

In a blog post, Rijnders explains that a bug in how they implement their encryption can cause data to become lost, which would prevent a file from being decrypted even if a ransom was paid.

“The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered,” explains Rijnders.