Lorenz crime group leaks their own user data through a website flaw
Take action: This incident shows that building secure systems is much harder than breaking them. A dangerous hacker group missed a fairly trivial security action on their own systems.
Learn More
The Lorenz ransomware group has inadvertently exposed a comprehensive list of individuals who had interacted with them through their online contact form over the preceding two years. A security researcher noticed that Lorenz's dark web victim blog was leaking backend code and proceeded to extract the data, subsequently uploading it to a public GitHub repository. The leaked data contained names, email addresses, and the subject lines entered into the ransomware group's limited online form for requesting information.
Some individuals had their identities concealed behind aliases and obscure Proton Mail email addresses. However, others had personal identifiers exposed, including reporters, individuals from the financial sector, and security researchers.
This breach occurred due to a misconfiguration in the Apache2 web server on Lorenz's part. The misconfiguration led to the login form leaking backend PHP code, exposing critical information. The compromised data encompass entries dating from June 3, 2021, to September 17, 2023, coinciding with the date when the contact form malfunctioned. This leak almost covered the entire period since the Lorenz group was initially observed in February 2021.
The cybersecurity expert who uncovered and disclosed the leak on the clear web clarified that the leak resulted from the Apache2 server's misconfiguration. Although Lorenz temporarily closed access to its online contact form, addressing the root issue remained pending at the time. As of the current moment, Lorenz's website and online contact form remain accessible, but requests submitted through it are not being delivered to the group.
The Lorenz ransomware group, initially identified in early 2021 is notorious for utilizing a double-extortion model, wherein they steal data before encrypting victims' devices, using both the data and system access as leverage for ransom. Lorenz is considered a highly threatening entity due to the destructiveness of their attacks, and they are known to invest significant effort into tailoring attacks to specific targets.
