The Department of Health and Human Services Cybersecurity Coordination Center is warning larger, enterprise healthcare organizations of the potential threat posed by the Lorenz ransomware threat group. The human-operated campaign is well-known for its big-game hunting of larger organizations and has claimed victims in both the healthcare and public health sectors. The alert follows a warning of the serious threat posed by Hive ransomware actors to healthcare organizations. Earlier this month, HC3 also issued a brief on the relatively new group known as Venus ransomware, which has claimed at least one U.S. healthcare entity since emerging in August. Venus primarily targets exposed Remote Desktop Services on Windows devices. But while open-source reports show Venus’ ransom demands begin around 1 BTC, or less than $20,000, the Lorenz group operates in a much bigger playing field with demands that range from $500,000 to $700,000. The actors are also known to sell access to the victim’s network.

Lorenz has been active for at least two years and operates a data leak site, per the typical extortion group model. HC3 warns that “upon becoming frustrated with a victim’s unwillingness to pay, they first make the stolen data available for sale to other threat actors or competitors.” If that fails to garner a payment, Lorenz will then “release password protected RAR archives” of the victim’s data. If those efforts don’t result in monetary gains, the group then releases “the password for the full archives, so they will be publicly available for anyone to access.” The model could result in a serious fallout in a situation like the recent attack, extortion attempt, and subsequent data leak of files tied to MediBank, Australia’s largest health insurer.