The Department of Health and Human Services’ Health Sector Cybersecurity Coordinator (HC3) has issued a warning to the public healthcare and public health sector (HPH) to raise awareness of the Lorenz threat group. The cybercriminal gang has conducted numerous threat campaigns in the United States across the last two years.
The human-operated Lorenz ransomware is used after threat actors have broken into networks and stolen data. The gang is known to modify its executable code and personalize it for each targeted organization after access to the network has been obtained. Before spreading ransomware to encrypt files, the Lorenz actors remain active and do thorough reconnaissance over a significant period of time. The gang employs double extortion techniques, in which sensitive information is leaked prior to file encryption, along with ransom demands in order to prevent the publication of the data. A common tactic used by ransomware threat actors is to steal data and threaten to publish it on a data breach site if the ransom is not paid. However, Lorenz employs a fairly unusual method. The gang attempts to sell the stolen data to competitors and other threat actors if the ransom demands are not received after several efforts to contact the victim. In the event that the ransom is still outstanding, Lorenz posts password-protected archives containing the stolen data on its data leak website. The passwords to the archives are then made public, allowing anybody to view and download the stolen material if the gang is unable to sell the information. In certain instances, Lorenz has sold victim networks to other criminal gangs while maintaining access.
Lorenz regularly participates in big game hunting, mostly focusing on large organizations, with typical ransom demands ranging between $500,000 and $700,000. The large majority of victims have been English-speaking, and there have been no reported attacks on non-enterprise targets. In contrast to the majority of other ransomware groups, little is known about Lorenz. However, the group is known to employ techniques such as phishing, exploiting unpatched weaknesses in software and operating systems, compromising remote access tools like RDP and VPNs, conducting attacks on managed service providers (MSPs), and targeting MSP clients to gain initial access to victim’s systems.