That the cybercriminali It is well known that they are cunning and fearsome characters. Sometimes, however, just like all of us human beings, they can also encounter sensational failures.
What has just been said is confirmed by what happened to the ransomware group Lorenz which, due to an error, leaked the data of all the people involved in their attacks.
This sensational discovery was made by a security researcher who noted how the blog on Dark Web belonging to cybercriminals featured del exposed code. In this way, it was easy for the expert (but potentially not only for him) to extract the data present on the site.
The information in question includes nomi, email addresses and other personal data. To confirm that the information is true, The Register contacted some of the names on the list, having confirmed that they had been involved, against their will, in the ransomware campaign.
The data entries included in the leak date back to June 3, 2021, and end on September 17, 2023, the date on which the contact form stopped working.
Lorenz Ransomware: Data lost due to incorrect server configuration
The security company Cybereason had previously stated that the collective behind Lorenz was first observed in February 2021, meaning that the leaked data covers almost the entire period of the group’s existence.
Htmalgaethe online contact for the researcher who found and published the leak, told The Register exclusively that the leak was due to a server Apache2 poorly configured. “At some point over the last month, someone at the Lorenz group misconfigured their Apache2 web server, causing PHP code to be leaked from the login form. This was probably one of the easiest leaks I’ve discovered so far“.
He then added that “During my daily exploration of all ransomware sites, I came across Lorenz’s broken contact form. It was really easy to view the source on the page and copy-paste the location of the leaked file. I practically found it in my arms, I didn’t even need to do a vulnerability scan“.
Htmalgae then confirmed how the cybercriminals closed access to the module (still present but no longer functional), although not completely solving the server configuration problems.
It must be said that much of the leaked data concerns identities masked behind false names, but there are some exceptions. According to the researcher, in fact, we are talking about different ones journalists, financial operators and even some of his colleagues, that is researchers in the field of computer security.