THREAT ACTOR: Lorenz ransomware gang
Lorenz is a ransomware gang targeting the enterprise. A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.
The Lorenz ransomware gang began operating in April 2021, and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site
The Lorenz ransomware gang may have a link to the ThunderCrypt operators. The Lorenz gang began operating last month. Since then, the group has developed a notable list of victims. A data leak site houses victims’ stolen and exposed data.
It is not clear if Lorenz is the same group or purchased the ransomware source code to create its own variant.
Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials. While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.