The Department of Health and Human Services Cybersecurity Coordination Center is warning larger, enterprise healthcare organizations of the potential threat posed by the Lorenz ransomware threat group.

The human-operated campaign is well-known for its big-game hunting of larger organizations and has claimed victims in both the healthcare and public health sectors.

The alert follows a warning of the serious threat posed by Hive ransomware actors to healthcare organizations. Earlier this month, HC3 also issued a brief on the relatively new group known as Venus ransomware, which has claimed at least one U.S. healthcare entity since emerging in August. Venus primarily targets exposed Remote Desktop Services on Windows devices.

But while open-source reports show Venus’ ransom demands begin around 1 BTC, or less than $20,000, the Lorenz group operates in a much bigger playing field with demands that range from $500,000 to $700,000. The actors are also known to sell access to the victim’s network.

Lorenz has been active for at least two years and operates a data leak site, per the typical extortion group model. However, the group’s tactics are far more nefarious. HC3 warns that “upon becoming frustrated with a victim’s unwillingness to pay, they first make the stolen data available for sale to other threat actors or competitors.”

If that fails to garner a payment, Lorenz will then “release password protected RAR archives” of the victim’s data. If those efforts don’t result in monetary gains, the group then releases “the password for the full archives, so they will be publicly available for anyone to access.”

The model could result in a serious fallout in a situation like the recent attack, extortion attempt, and subsequent data leak of files tied to MediBank, Australia’s largest health insurer.

What’s more, Lorenz targets victims using customized executable code, expressly tailored to the targeted organization. HC3 notes that the tactic implies the actors will maintain persistent access for reconnaissance “for an extended period of time” before deploying the ransomware payload.

The typical pattern begins with initial access, then reconnaissance and lateral movement to connected devices, with the primary purpose of finding a Windows domain controller to obtain administrator credentials. Their code also enables multiple program threads to share resources, while preventing multiple instances of Lorenz running concurrently.

Further, each file encrypted with the ransomware uses a randomly generated password and its encryption key is generated with the CryptDeriveKey function.

The alert also shows that in one observed instance, Lorenz was “identified exploiting a vulnerability in the Mitel Service Appliance component of MiVoice Connect (CVE-2022-29499).”

Compared with other groups, relatively little is known about Lorenz. But HC3 explained that the previously identified indicators could be used for detection, mitigation, and defense mechanisms.

Enterprise delivery organizations are urged to bolster defenses around the four key attack vectors known to be used by Lorenz, including phishing attacks, exploits of known vulnerabilities and remote access technologies, “especially RDP”, and distributed cyberattacks, “especially supply chain and Managed Service Provider compromise.”

The HC3 alert contains a list of IOCs for organizations to review and respond.