Breach Notification , Cybercrime , Electronic Healthcare Records

Lorenz Ransomware Alert: Risk to Healthcare, Public Sector

Group Hitting Large Victims, Health Sector Cybersecurity Coordination Center Warns
Lorenz Ransomware Alert: Risk to Healthcare, Public Sector
Lorenz's Tor-based data leak site

Large healthcare and public sector organizations are continuing to get hit by attackers wielding Lorenz ransomware, cybersecurity experts warn.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

"It is used to target larger organizations in what is called 'big-game hunting,' and publishes data publicly as part of pressuring victims in the extortion process," according to a new security alert from the U.S. Department of Health and Human Services.

"Relatively little is known about Lorenz as compared to many other ransomware operators," says HHS' Health Sector Cybersecurity Coordination Center, or HC3.

Lorenz ransomware was first spotted in the wild in February 2021, and appears to be related to sZ40 ransomware - first seen in October 2020 - as well as ThunderCrypt ransomware, which dates from May 2017, according to HHS. Among the commonalities: "Lorenz uses the same encryptor as ThunderCrypt, which could indicate operations by the same group, or a purchase or theft of code." In addition, files encrypted by Lorenz have .Lorenz.sz40 appended to the filename.

Known victims of Lorenz include Wolfe Eye Clinic in Iowa, which fell victim in April 2021, and refused to pay a ransom. Protected health information for up to 500,000 patients was exposed.

Among other recent victims, Lorenz on Nov. 14 claimed via its data leak site to have breached Salud Family Health of Colorado, reports threat intelligence firm Kela.

That followed Salud Family Health in October warning HHS that it had suffered a breach in September affecting an as-yet-unspecified number of patients, as first reported. In its breach notification, Salud tells victims that "your name, Social Security number, driver's license number or Colorado identification card number, financial account information/credit card number, passport number, medical treatment and diagnosis information, health insurance information, biometric data, and username and password" may have been exposed.

Target: Mitel VoIP Vulnerability

Security experts say Lorenz appears to be wielded by a single group, as well as to be a human-operated ransomware operation.

That means instead of the ransomware getting dropped on systems via phishing attacks or botnets, attackers instead tend to gain remote access to a target network, move laterally, try to gain administrator-level access to Active Directory, and finally use it to deploy the ransomware to as many endpoints as possible.

Lorenz appears to use a variety of tactics to gain access to a victim's network.

In September, security operations firm Arctic Wolf warned that Lorenz was exploiting a vulnerability in the Mitel MiVoice Connect VoIP platform, designated CVE-2022-29499, to gain initial access in victims' networks. It said the group appeared at the time to largely been hitting small and midsize businesses in the U.S., as well as some organizations in Mexico and China.

With there being at least 20,000 internet-connected Mitel MiVoice Connect platforms worldwide, it urged all Mitel users to update to a patched version of the software released by the vendor in April.

Lorenz apparently doesn't mind spending weeks reconnoitering a victim's network. In a case investigated by Arctic Wolf, it found that the Lorenz-wielding attacker "waited nearly a month after obtaining initial access to conduct additional activity."

Data Leaking, With a Twist

Like many ransomware groups, Lorenz often exfiltrates data from victims, threatening to dump it onto its Tor-based site if they don't pay a ransom.

But Lorenz tends to take a "non-typical" approach if victims don't pay, HC3 says. "They will next release password-protected RAR archives containing the victim data. Finally, if they fail to monetize the data - if the victim does not pay and the data does not sell, they will release the password for the full archives, so they will be publicly available for anyone to access."

Seeking to monetize their efforts, the group is also been selling stolen databases as well as access to a victim's network to others, cybersecurity firm Cybereason reports.

In June 2021, Dutch cybersecurity firm Tesorian released a free decryptor for Lorenz, hosted by the No More Ransom project. At the time, Gijs Rijnders, a security researcher at Tesorian, reported that Lorenz was demanding "quite high" ransoms, typically ranging from $500,000 to $700,000.

Wallpaper on a system infected by Lorenz (Source: Cybereason)

The Lorenz decryptor "can decrypt (non-corrupted) affected files in some cases without paying the ransom," Rijnders said in a blog post at the time. "Supported file types include Microsoft Office documents, PDF files and some image and movie types."

But in February, Cybereason reported that it's not clear how often the decryptor will recover those types of files, based on tests it ran on files encrypted by both old and new variants of Lorenz.

"In the test that we ran for both old and newer samples - the decrypter did not work and kept alerting that it doesn't support the files - we tried encrypted .docx files: .docx.Lorenz.sz40."

In March, Tesorian reported finding an updated variant of Lorenz, with a compilation stamp of March 2. "Files encrypted by this variant are different from the previous one," Gijs Rijnders, a security researcher at Tesorian, said in a blog post.

The firm also found "a serious bug in the ransomware that makes the attacker unable to recover any encrypted files," he said. "Decryption is still possible without paying the ransom, or to be more specific, only possible without paying the ransom."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.