Zffoto - stock.adobe.com

Lorenz Ransomware Targets Large Healthcare Orgs, HC3 Warns

Lorenz ransomware targets large organizations via “big-game hunting” and is known to publish data publicly during the extortion process.

Lorenz ransomware poses a threat to the healthcare sector, particularly larger organizations, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note. The human-operated ransomware group has been known to focus on “big-game hunting,” targeting large, high-profile entities rather than private users.

Lorenz threat actors are known to publish data publicly as a tactic to pressure victims during the extortion process. The actors have been observed demanding hefty ransoms, ranging from $500,000 to $700,000.

Researchers first observed Lorenz ransomware in February 2021, but it is believed to have ties to groups like sZ40 and ThunderCrypt, which were first observed in 2020 and 2017, respectively.

“Lorenz is human-operated ransomware, run by operators known to be customize their executable code, tailoring it for their targets,” the analyst note explained.

“This implies that they may maintain persistent access for reconnaissance purposes for some extended period of time prior to ransomware deployment. They often follow the pattern of initial access, followed by reconnaissance and lateral movement, ultimately seeking a Windows domain controller in search of administrator credentials.”

Lorenz ransomware operates a leak site, but HC3 analysts described the site as “non-typical.” When victims refuse to pay, the threat actors make the stolen data available for sale to fellow threat actors. Next, the group will release password-protected archives with victim data.

If all else fails, meaning the victim refuses to pay and Lorenz fails to sell the data to competing threat actors, the group releases the password to the public and exposes the stolen data for anyone to see.

“Relatively little is known about Lorenz as compared to many other ransomware operators,” HC3 noted.

Rather than providing specific mitigation tactics for Lorenz, HC3 urged healthcare organizations to remain aware of common ransomware attack vectors, such as phishing, compromise of known vulnerabilities, compromise of remote-access technologies, and distributed attacks.

In another recent alert, HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) once again warned healthcare organizations of Hive ransomware. The group continues to target critical infrastructure, especially healthcare, since they were first observed in 2021.

Both the Hive and the Lorenz alert show that threat actors are not slowing their efforts, and the healthcare sector should continue to remain vigilant.

Next Steps

Dig Deeper on Cybersecurity strategies