Lorenz ransomware gang hit Texas-based Cogdell Memorial Hospital

The Lorenz ransomware group hit Texas-based Cogdell Memorial Hospital

Pierluigi Paganini
November 12, 2023

The Lorenz extortion group leaked the data stolen from the Texas-based Cogdell Memorial Hospital.

In early November, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.

The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas. It is a 70-bed hospital that provides a wide range of services, including:

  • Emergency care
  • Inpatient and outpatient surgery
  • Medical imaging
  • Laboratory services
  • Physical therapy
  • Occupational therapy
  • Speech therapy
  • Home health care
  • Hospice care

The Lorenz extortion group claimed responsibility for the security breach and added the hospital to its Tor leak site. The group claims to theft of more than 400GB of data, including internal files, patient medical images, and also employee email communications.

The Lorenz ransomware gang has been active since April 2021 and hit multiple organizations worldwide demanding hundreds of thousands of dollars in ransom to the victims.

Like other ransomware gangs, Lorenz operators also implement double-extortion model by stealing data before encrypting it and threatening them if the victim doesn’t pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

At the time of this writing, the Loren group has started uploading the stolen data (95%)

US Healthcare organizations continue to be a privileged target of ransomware gangs.

The popular researcher Brett Callow states that far this year, 29 US health systems with 90 hospitals between them have been impacted by ransomware, and at least 23/29 had data stolen.

In mid-October, the ALPHV/BlackCat ransomware group claimed to have hacked the Morrison Community Hospital and added it to its dark web Tor leak site. The group claimed to have stolen 5TB of patients’ and employee’s information, backups, PII documents, and more. The gang also published a sample as proof of the stolen data.

In September, the LockBit ransomware group breached two hospitals, the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York.

This isn’t the first time the Lockbit gang or its affiliates hit a hospital. In January, the LockBit ransomware gang formally apologized for the attack on the Hospital for Sick Children (SickKids) and released a free decryptor for the Hospital.

The group is known to have a role for its affiliates that prohibits attacking healthcare organizations. Its policy forbids encrypting systems of organizations where damage could lead to the death of individuals.

The gang explained that one of its partners attacked SickKids violating its rules, for this reason, it blocked the affiliate.

Affiliates of the Lockbit gang have also hit other healthcare organizations in the past, in early December 2022, the Hospital Centre of Versailles was hit by a cyber attack that was attributed to the group. Hospital Centre of Versailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, canceled operations and transferred some patients due to the cyberattack.

In August, the gang attacked the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.

Other ransomware attacks recently hit US hospitals. Recently the Rhysida ransomware group made the headlines because it announced the hack of Prospect Medical Holdings and the theft of sensitive information from the organization.

The Rhysida ransomware group threatened Prospect Medical Holdings to leak the stolen data if the company did not pay a 50 Bitcoins ransom (worth $1.3 million). The same group this week claimed to have breached other three US hospitals.

The systems at three hospitals and other medical facilities operated by Singing River Health System were hit by a cyber attack at the end of August.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cogdell Memorial Hospital)