GOLD LOUNGE
Objectives
Tools
SUMMARY
GOLD LOUNGE was a financially motivated cybercriminal threat group that operated and distributed the Lorenz ransomware. Lorenz first emerged as a name-and-shame ransomware operation at the end of April 2021, but third-party researchers have linked Lorenz to the sz40 and ThunderCrypt ransomware families, and CTU researchers have observed intrusion activity dating back to late 2020 that ultimately resulted in the deployment of Lorenz. It is unclear whether GOLD LOUNGE operated Lorenz as a ransomware-as-a-service, but the group named their last victim to a dedicated leak site in December 2023.
Observed Lorenz ransomware intrusions have been characterised by the use of SMBExec for remote command execution and lateral movement, Windows scheduled tasks for persistence and lateral movement, and the use of native system utilities for reconnaissance. The Lorenz ransomware was generally staged on compromised domain controllers and distributed using scheduled tasks that deleted volume shadow copies and cleared event logs immediately after executing the ransomware.
Contactez-nous
Que votre organisation ait besoin d’une assistance immédiate ou que vous souhaitiez discuter de vos besoins en matière de préparation aux incidents, de réponse et de test, contactez-nous directement ci-dessous.