The healthcare and public health sector (HPH) has been warned about the threat of ransomware attacks by the Lorenz threat group, which has conducted several attacks in the United States over the past two years, with no sign that attacks are slowing.
Lorenz ransomware is human-operated and is deployed after the threat actors have gained access to networks and have exfiltrated data. Once access to the network is gained, the group is known to customize its executable code and tailor it for each targeted organization. The Lorenz actors maintain persistence and conduct extensive reconnaissance over an extended period of time before deploying ransomware to encrypt files. The group engages in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and ransom demands are issued to prevent the sale or publication of that data, in addition to payment being required to obtain the keys to decrypt files.
Many ransomware threat actors steal data and threaten to publish the stolen files on a data leak site if the ransom is not paid. The process used by Lorenz is somewhat unique. If after attempting to engage with a victim the ransom payment is not forthcoming, the group attempts to sell the stolen data to other threat actors and competitors. If the ransom is still not paid, Lorenz publishes password-protected archives containing the stolen data on its data leak site. If the group is unable to monetize the stolen data, the passwords for the archives are then published, which allows anyone to access and download the stolen data. There have been cases where the group has maintained access to victims’ networks and has sold that access to other threat groups.
Lorenz engages in big game hunting, most commonly targeting large organizations, with the ransom demands typically in the range of $500,000 to $700,000. There have been no known attacks on non-enterprise targets, and the majority of victims have been English-speaking. In contrast to most other ransomware gangs, relatively little is known about this group. Methods known to have been used by the group to gain initial access to victims’ networks include phishing, compromising remote access technologies such as RDP and VPNs, exploiting unpatched vulnerabilities in software and operating systems, and conducting attacks on managed service providers (MSPs), and then pivoting to attack MSP clients.
The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, known Indicators of Compromise, and other resources that can be used by network defenders to improve their defenses against Lorenz ransomware attacks.