HPH Sector Informed About Lorenz Ransomware Group

The healthcare and public health sector (HPH) is informed regarding the danger of ransomware attacks conducted by the Lorenz threat group, which has executed a few attacks in America over the past two years, without any hint that attacks are decreasing.

Lorenz ransomware is operated by a man and is implemented after the threat actors have acquired access to sites and have exfiltrated information. When access to the network is obtained, the group is well-known to individualize its executable code and custom it for each targeted group. The Lorenz actors remain persistent and perform considerable reconnaissance over a longer time period prior to implementing ransomware and encrypting files. The group carries out double extortion tactics. It exfiltrates sensitive data before encrypting files. It demands a ransom payment in exchange for not selling or publishing that information, aside from requiring payment for the keys to decrypt files.

A lot of ransomware threat actors steal data and threaten to publicize the stolen information on a data leak web page when the ransom is not given. The method employed by Lorenz is considerably unique. In case after seeking to require the victim to pay the ransom and it is not paid, the group makes an attempt to sell off the stolen information to other threat actors and competition. When the ransom remains unpaid, Lorenz publishes password-protected archives that have the stolen records on its data leak webpage. If the group cannot earn money from the stolen information, the passwords for the archives are then publicized, which permits any person to obtain access to and download the stolen files. There have been conditions where the group has maintained access to victims’ systems and has marketed that access to some different threat groups.

Lorenz participates in big game hunting, mostly targeting sizeable institutions, with the ransom demands normally around $500,000 to $700,000. There were no recognized attacks on nonbusiness targets, and almost all victims are English-speaking. Contrary to many other ransomware gangs, reasonably little is known concerning this group. The group employs methods to acquire first access to victims’ networks such as phishing, compromising remote access technologies for example RDP and VPNs, taking advantage of unpatched vulnerabilities in software programs and operating systems, and doing attacks on managed service providers (MSPs), and then turning to attack MSP customers.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note consists of references, recognized Indicators of Compromise, and other assets that may be applied by system defenders to develop their security versus Lorenz ransomware attacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone