Lorenz ransomware gang

Threat Actor

Lorenz is a ransomware gang targeting the enterprise. A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.

The Lorenz ransomware gang began operating in April 2021, and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site

The Lorenz ransomware gang may have a link to the ThunderCrypt operators. The Lorenz gang began operating last month. Since then, the group has developed a notable list of victims. A data leak site houses victims’ stolen and exposed data.

It is not clear if Lorenz is the same group or purchased the ransomware source code to create its own variant.

Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials. While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims to pay a ransom or to sell the data to other threat actors.

Incidents Associated with this Threat

May 26, 2021: Canada Post Customers Affected by Ransomware Attack at Supplier

Malware Used by this Threat Actor

No malware identified for this threat actor.