HPH Sector Cautioned of Lorenz Ransomware Group

The healthcare and public health sector (HPH) is cautioned about the threat of ransomware attacks executed by the Lorenz threat group, which has carried out a number of attacks in the U.S. over the last two years, without any indication that attacks are lessening.

Lorenz ransomware is man-operated and is used after the attackers have acquired access to systems and have extracted data. As soon as access to the system is obtained, the group is well-known to personalize its executable code and customize it for every targeted company. The Lorenz actors keep persistent and carry out substantial reconnaissance over a lengthy time frame prior to implementing ransomware to encrypt files. The group does double extortion tactics, where sensitive information is exfiltrated before encrypting files and ransom demands are given to stop the selling or posting of that records, besides payment being demanded to acquire the keys for file decryption.

Numerous ransomware threat actors steal information and threaten to post the stolen records on a data leak webpage in case the ransom is not settled. The procedure utilized by Lorenz is fairly unique. In case after trying to demand the victim to pay the ransom and it is not actually coming, the group tries to peddle the stolen information to other threat actors and rivals. When the ransom stays unpaid, Lorenz posts password-protected archives that contain the stolen information on its data leak site. If the group is not able to profit from the stolen information, the passwords for the archives are then posted, which enables anybody to get access to and download the stolen information. There were instances where the group kept access to victims’ systems and offered that access to some different threat actors.

Lorenz does big game hunting, most often attacking big companies, with the ransom demands usually about $500,000 to $700,000. There were no identified attacks on non-business targets, and most victims are English-speaking. As opposed to the majority of other ransomware groups, fairly little is understood regarding this group. The group utilizes methods to obtain preliminary access to victims’ systems like phishing, breaching remote access technologies for instance RDP and VPNs, taking advantage of unpatched vulnerabilities in program and OS systems, and executing attacks on managed service providers (MSPs), and then switching to target MSP customers.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, Indicators of Compromise, and other resources that may be employed by system defenders to boost their security versus Lorenz ransomware attacks.