Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware.

The firm has been able to develop a process that can in some cases decrypt files affected by Lorenz without paying the ransom.

The Lorenz ransomware uses a combination of RSA and AES-128 in CBC mode to encrypt files on an infected system. A password is generated at random for each file, and an encryption key is then derived using the CryptDeriveKey function.

Files encrypted by ransomware commonly contain footers, as footers can be easily appended to a file. Lorenz places a header before the encrypted file instead. This makes the ransomware less efficient as it must copy the contents of every file.

The header contains the magic value: ‘.sz40’, followed by the RSA-encrypted file encryption key. After writing the encrypted file header, every file is encrypted whole in rather small blocks of 48 bytes. Encrypted files get the file extension: ‘.Lorenz.sz40’.

Encryption Bug

Lorenz encrypts every file whole in blocks of 48 bytes. It first reads the next 48 bytes (or whatever is available) from the original file. The freshly obtained data block is then encrypted and written to the encrypted file. This encryption algorithm is displayed in the screenshot below.

Lorenz Ransomware Decryptor Released

Tesorion researcher Gijs Rijnders wrote in a blog post that that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files.

While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files.

As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures.

The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files.