Cyber Threat Actor: Lorenz
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
5 incidents |
|---|
Profile
Lorenz is a ransomware group also known by the alias Lorenz, with its operational base identified as Russia. The group primarily targets large enterprise organizations across multiple sectors, including pharmaceutical distribution, defense contracting, healthcare providers, and logistics services, as evidenced by incidents affecting companies in the United States, Canada, the United Kingdom, and Germany. Lorenz’s stated strategic objective is financial gain, demonstrated by its ransom demands of hundreds of thousands of dollars, the sale of stolen data to other threat actors, and the offering of victim network access for purchase.
The group’s typical tactics involve exploiting critical vulnerabilities in Mitel telephony systems to gain initial entry into a target network, after which the attackers remain dormant for several months before deploying their backdoor for data exfiltration and file encryption. Lorenz employs its eponymous ransomware to encrypt files while simultaneously exfiltrating sensitive information, which is then uploaded to a dedicated leak site where victims can buy decryption keys or purchase the stolen archives. The gang also advertises the sale of compromised network access and follows a double‑extortion model by threatening to release decryption keys publicly if ransoms are not paid. Independent researchers have released a free decryptor capable of recovering certain file types, such as Office documents, PDFs, images, and videos, indicating that the ransomware’s encryption routine has known weaknesses.
Representative operations attributed to Lorenz include the breach of MWI Animal Health, a subsidiary of AmerisourceBergen, where the group allegedly used telephony flaws to infiltrate the network and later leaked data on its extortion site; the ransomware attack on the UK subsidiary of defense contractor Hensoldt, during which password‑protected archives of stolen files were published and the group offered decryption keys for sale; and the incident at Wolfe Eye Clinic, where Lorenz listed the clinic on its leak site, offered encrypted data for purchase, and attempted to sell internal network access. Additional notable cases involve the ransomware‑driven exposure of shipping manifest data for Canada Post’s commercial customers via a compromised third‑party supplier and the targeting of Alta Forest Products, which resulted in the compromise of protected health information for thousands of individuals. These examples illustrate the group’s focus on high‑value targets, its reliance on telephony‑based initial access, and its monetization strategy through ransom, data sales, and access brokerage.
