Canada Post Suffers Data Breach As Supplier Ensnared By Lorenz Ransomware

You are currently viewing Canada Post Suffers Data Breach As Supplier Ensnared By Lorenz Ransomware

Lorenz Ransomware has claimed its latest victim – a third-party supplier to Canada Post, which resulted in a sizeable data breach for the postal service. Last week, Canada Post informed 44 of its largest customers that the Lorenz Ransomware attack on a third-party service supplier took place, which exposed shipping information belonging to their customers. Canada Post is the primary postal operator in Canada, and serves 16.5 Million residential and business addresses.

The data exposed in the attack includes manifest information for large parcel business customers, which is made up of send and receiver contact information, names, and mailing addresses.

In total, the breach affected 44 Canada Post commercial customers and 950,000 receiving customers.

“After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers. After a thorough review of the shipping manifest files, we’ve determined the following:

  • The information is from July 2016 to March 2019
  • The vast majority (97%) contained the name and address of the receiving customer
  • The remainder (3%) contained an email address and/or phone number”

In December 2020, Lorenz Ransomware posted on their Dark Web leak site that they had successfully breached Commport Communications. Since that date, the Lorenz Ransomware gang has leaked over 35GB of data stolen in the attack.

Lorenz Ransomware
Screen Capture from Lorenz Ransomware Data Leak Site

While Canada Post states that at the time of the attack, Commport did not believe that any of their data was accessed, based on the leaked data, it appears that this was not the case. Canada Post states that they have hired external cybersecurity experts to assist in the investigation and have notified the Office of the Privacy Commissioner of Canada.

Lorenz Ransomware first appeared in December. It targets organizations around the world with customized attacks, showing that the operators behind the malware are skilled individuals.

According to cybersecurity researcher Michael Gillespie, Lorenz Ransomware shares much of the same code as the ThunderCrypt Ransomware operation. It is believed that Lorenz Ransomware is perhaps a reworking of ThunderCrypt.

Like other ransomware attacks, Lorenz Ransomware breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.

Lorenz Ransomware Analysis

Lorenz Ransomware

Note: The following is an analysis of ThunderCrypt, carried out by TrendMicro. Though there are some differences between ThunderCrypt and Lorenz, the core of the malware as shown below is the same.

Generally, Lorenz Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This Ransomware drops the following copies of itself into the affected system:

  • %User Temp%\MoUsoCoreWorker.exe
  • %Windows%\dws.exe

It drops the following files:

  • %Windows%\tWjdf.js → Contains script to use SpVoice Interface functionality.

It adds the following processes:

  • %User Temp%\MoUsoCoreWorker.exe”
  • Using “%System%\wbem\WMIC.exe” process call create {Command String}”:
    • sc create “service_123” binpath= “cmd.exe /k %Windows%\dws.exe & {Long String of Characters}” displayname=”A” start= auto
    • cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    • cmd.exe /c wevtutil cl “security”&wevtutil cl “windows powershell”&wevtutil cl “security”&wevtutil cl “Application”&wevtutil cl HardwareEvents”&wevtutil cl “System”&wevtutil cl “Setup”&wevtutil cl “Setup”
    • cmd.exe/c schtasks /Create /F /Ru Users /SC DAILY /TN voise /TR “%Windows%\tWjdf.js”
    • cmd.exe /c schtasks /Run /TN voise
  • %System%\cmd.exe /c wmic /node:’0.0.0.0′ /USER:'{Domain}.net\Administrator’ /PASSWORD:'{Password}’ process call create “cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR ‘\{Domain}.net\NETLOGON\sinhost.exe’ & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F”

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • {Organization Name}

Lorenz Ransomware registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

Lorenz Ransomware
Lorenz Ransomware Additional Registry Keys

Lorenz Ransomware then carries out the following:

  • It only proceeds to its encryption routine if its filename is MoUsoCoreWorker.exe.
  • It encrypts FIXED, REMOVABLE, and NETWORK Drives.
  • It appends the extension .sz40 to the file that it is currently encrypting and will rename the file back to its original filename without the appended extension after the encryption has finished.
  • It uses SpVoice Interface functionality to play the following message:
    • You’ve been hacked! Your files are stolen and encrypted. Follow our instructions!
  • It creates a one-time remote scheduled task to execute its copy.
  • It sends the information it gathers to the following URL:
    • {BLOCKED}.{BLOCKED}.251.27:55

It adds the following scheduled tasks:

  • Task Name: voise
    Trigger: Daily
    Task Action: %Windows%\tWjdf.js
  • Task Name: sz40
    Trigger: ONLOGON
    Task Action: \{Domain}.net\NETLOGON\sinhost.exe

Lorenz Ransomware avoids encrypting files found in the following folders:

  • $Recycle.Bin
  • All Users
  • Local
  • Microsoft
  • Packages
  • Program Files
  • Program Files (x86)
  • ProgramData
  • Temp
  • WINDOWS
  • Windows

It drops the following file(s) as ransom note:

  • %Desktop%\HELP_SECURITY_EVENT.html
  • %Desktop%\{Encrypted Directory}\HELP_SECURITY_EVENT.html
Lorenz Ransomware Note

Protection

Ransomware is a crowded scene, with new threats rising and falling almost every day. It is important that business owners and families have the best tools for the job when it comes to protecting their devices. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply