Hospitals warned of ransomware gang engaging in ‘big game hunting’

Federal officials warn that individuals behind ‘Lorenz’ ransomware are targeting larger organizations, including those in the healthcare industry.

Health systems and hospitals are increasingly the target of ransomware attacks, and now federal officials are warning about a newer, emerging threat.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, known as HC3, issued an advisory this month about a newer threat aimed at the healthcare and public sectors.

The HC3 advisory warns about “Lorenz” ransomware, operated by a group that typically targets enterprise groups rather than private individuals. The ransomware group is “known to target larger organizations in what is known as ‘big game hunting’,” the advisory stated.

The Lorenz ransom demands range from $500,000 to $700,000. The group has been known to release private health information publicly to pressure organizations to pay the ransom, federal officials say.

Read more: How hospitals can improve their cybersecurity

Authorities say the Lorenz ransomware was first identified in February 2021 and that healthcare organizations have been compromised.

The group tends to release private information differently from other ransomware groups, according to HC3.

If an organization is reluctant to pay, the Lorenz gang will put the stolen data up for sale to other ransomware groups. If the victimized organization still doesn’t pay up, the Lorenz group will release password-protected archives containing private information.

If the Lorenz group can’t sell the data and the victim still isn’t paying the ransom, they will publicly release the password for all the archives, allowing anyone to access them, HC3 says. They will also sell access to the organization’s network as well, officials say.

The Lorenz gang tailors its ransomware attacks for individual targets, the advisory stated.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, said in a statement that the Lorenz group designs attacks specifically for different organizations.

“The fairly new Lorenz ransomware is unique in that its operators appear to customize their executable code to be target specific, unlike other ransomware operators which use the same ransomware code to target multiple unrelated victim organizations,” Riggi said in the statement.

“According to HC3, this may indicate that the hackers may be present for reconnaissance purposes for an extended time before executing the ransomware,” Riggi said. “What is consistent is that the Lorenz ransomware attack vectors are similar to other ransomware operators: phishing emails, compromises of known vulnerabilities and remote access technologies, and penetrating supply chains and managed service providers.”

While the Lorenz group has gone after targets globally, most of Lorenz’s targets are English-speaking organizations.

Unlike some other ransomware organizations, the Lorenz gang is a relative mystery and information about the group is fairly limited, federal officials say.

Ransomware attacks on hospitals are becoming more common, cybersecurity experts say. CommonSpirit Health, one of America’s largest hospital systems, said it was hit with a ransomware attack in October. Some hospitals had to reschedule appointments and some systems had to be taken offline.

Federal authorities issued a warning last month about a ransomware gang known as the Diaxin Team that was primarily targeting healthcare organizations and the health sector.

The Daixin Team has targeted the healthcare sector with ransomware and data extortion operations since at least June 2022, according to a federal Joint Cybersecurity Advisory issued by the FBI, the Cybersecurity Infrastructure and Security Agency, and the Department of Health and Human Services. The gang has engaged in “multiple” ransomware incidents in the healthcare sector, the advisory states.

While cyberattacks are costly to healthcare organizations, experts warn that they also pose threats to patient safety when systems are accessed and procedures are delayed.