GOLD LOUNGE
Objectives
Tools
SUMMARY
GOLD LOUNGE is a financially motivated cybercriminal threat group that operates and distributes the Lorenz ransomware. Lorenz first emerged as a name-and-shame ransomware operation at the end of April 2021, but third party researchers have linked Lorenz to the sz40 and ThunderCrypt ransomware families, and CTU researchers have observed intrusion activity dating back to late 2020 that ultimately resulted in the deployment of Lorenz. It is unclear whether GOLD LOUNGE operate Lorenz as a ransomware-as-a-service.
Observed Lorenz ransomware intrusions have been characterised by the use of SMBExec for remote command execution and lateral movement, Windows scheduled tasks for persistence and lateral movement, and the use of native system utilities for reconnaissance. The Lorenz ransomware is likely to be staged on compromised domain controllers and distributed using scheduled tasks that delete volume shadow copies and clear event logs immediately after executing the ransomware.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.