"Enterprise Healthcare Providers Warned of Lorenz Ransomware Threat"

The Department of Health and Human Services Cybersecurity Coordination Center (HC3) has issued a warning to larger, enterprise healthcare organizations about the Lorenz ransomware threat group. The human-operated campaign is well-known for going after larger organizations, and it has claimed victims in both the healthcare and public health sectors. The alert comes after a warning about the serious threat that Hive ransomware actors pose to healthcare organizations. HC3 also issued a brief earlier this month on the relatively new Venus ransomware group, which has claimed at least one US healthcare entity since its inception in August. Venus primarily targets Windows devices with exposed Remote Desktop Services (RDS). While open-source reports indicate that Venus' ransom demands start at 1 BTC, or less than $20,000, the Lorenz group operates on a much larger scale, with demands ranging from $500,000 to $700,000. The actors also sell access to the victim's network. Lorenz has been active for at least two years and runs a data leak site, as is typical of an extortion group. The group's tactics are far more malicious, as HC3 warns that when they become frustrated with a victim's refusal to pay, they will first sell the stolen data to other threat actors or competitors. If that does not work, Lorenz will release password-protected RAR archives of the victim's data. If those efforts do not yield monetary rewards, the group then releases the password for the entire archive, making it publicly accessible to anyone. In a situation similar to the recent attack, extortion attempt, and subsequent data leak of files associated with MediBank, Australia's largest health insurer, the model could have serious consequences. Furthermore, Lorenz targets victims with customized executable code that is specifically tailored to the targeted organization. The tactic implies that the actors will maintain persistent access for reconnaissance for an extended period of time before deploying the ransomware payload, according to HC3. The typical pattern begins with initial access, followed by reconnaissance and lateral movement to connected devices, all to locate a Windows domain controller and obtain administrator credentials. Their code also allows multiple program threads to share resources while preventing multiple Lorenz instances from running at the same time. Each ransomware-encrypted file employs a randomly generated password, and its encryption key is generated using the CryptDeriveKey function. This article continues to discuss warnings of the Lorenz ransomware threat to enterprise healthcare providers.

SC Magazine reports "Enterprise Healthcare Providers Warned of Lorenz Ransomware Threat"