HC3 TLP Clear Analyst Note Lorenz Ransomware - November 21, 2022

Executive Summary

Lorenz is human-operated ransomware that has been in operation for approximately two years. In that time, HC3 is aware of the compromise of healthcare and public sector targets. It is used to target larger organizations in what is called “big-game hunting”, and publishes data publicly as part of pressuring victims in the extortion process. Lorenz is known to target organizations globally using customized code, and can demand hundreds of thousands of dollars in ransoms.

Report

Lorenz ransomware was first observed in February of 2021. Lorenz is believed to be related to sZ40 ransomware (first observed in October 2020) and ThunderCrypt ransomware (first observed in May of 2017). One of the indications of the similarities is the use of encryptors – Lorenz uses the same encryptor as ThunderCrypt, which could indicate operations by the same group, or a purchase or theft of code.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member
Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity
Infographics
H-ISAC TLP GREEN: Daily Cyber Headlines - April 8, 2024
Member
Other Resources
RWJ Barnabas Improves IoT Security Without Care Disruption
Advancing Health Podcast
Part Two: Cyberthreats and Assessing Third-Party Risk with Providence
Public