HC3 Alert on Lorenz Ransomware
HC3 has issued an alert about Lorenz ransomware. Lorenz threat actors have been mentioned on DataBreaches’ site several times since 2021. In one case they attacked and exfiltrated data of 500,000 patients of Wolfe Clinic in Iowa, and they recently posted data from Salud Family Health in Colorado. Salud has not yet reported a number to HHS for that incident, using a “501” as a marker for an incident greater than 500 patients. HC3’s report begins:
Lorenz is human-operated ransomware that has been in operation for approximately two years. In that time, HC3 is aware of the compromise of healthcare and public sector targets. It is used to target larger organizations in what is called “big-game hunting”, and publishes data publicly as part of pressuring victims in the extortion process. Lorenz is known to target organizations globally using customized code,
and can demand hundreds of thousands of dollars in ransoms.
Lorenz ransomware was first observed in February of 2021. Lorenz is believed to be related to sZ40 ransomware (first observed in October 2020) and ThunderCrypt ransomware (first observed in May of 2017). One of the indications of the similarities is the use of encryptors – Lorenz uses the same encryptor as ThunderCrypt, which could indicate operations by the same group, or a purchase or theft of code.
Lorenz is human-operated ransomware, run by operators known to be customize their executable code, tailoring it for their targets. This implies that they may maintain persistent access for reconaissance purposes for some extended period of time prior to ransomware deployment. They often follow the pattern of initial access, followed by reconaissance and lateral movement, ultimately seeking a Windows domain
controller in search of administrator credentials.
Read more of this report at HHS.