Lorenz
Lorenz is a ransomware/extortion malware family and associated intrusion set observed in enterprise compromises.
Profile source: Mallory opens in a new tabLorenz
Family profile
Lorenz is a ransomware/extortion malware family and associated intrusion set observed in enterprise compromises. In the provided reporting, Arctic Wolf Labs investigated a Lorenz intrusion in which the actor exploited CVE-2022-29499, a remote code execution vulnerability in the Mitel MiVoice Connect Service Appliance, to gain initial access through an exposed VoIP appliance. Observed exploitation included GET requests to /scripts/vtest.php and /ucbsync.php, followed by use of cURL to download a shell script (wc2_deploy) from 137.184.181[.]252 that established an SSL-encrypted reverse shell to 137.184.181[.]252:443. The actor then used the Mitel CLI to create a hidden directory, downloaded the Chisel tunneling tool from GitHub, renamed it to mem, and used it to pivot into the victim network over https://137.184.181[.]252:8443; later activity re-established reverse shell and Chisel infrastructure via 138.68.59[.]16 on ports 443 and 8443.
For persistence, the actor used a webshell named pdf_import_export.php placed at /vhelp/pdf/en/ on the Mitel device. The webshell accepted triple-base64-encoded commands via HTTP POST and returned triple-base64-encoded output. Post-compromise activity relied heavily on living-off-the-land techniques and common offensive tooling. Lorenz used CrackMapExec through the SOCKS tunnel, including the lsassy module to dump LSASS credentials via comsvcs.dll MiniDump, and also used a PowerShell Out-Minidump technique abusing Windows Error Reporting. Discovery activity included certutil to identify Active Directory Certificate Authorities, as well as netsh, ipconfig, netstat, recursive directory listing, and findstr searches for password-related strings. The actor obtained privileged local administrator and domain administrator credentials and moved laterally via RDP, including access to a domain controller.
Before encryption, Lorenz exfiltrated data using FileZilla over SSH/SFTP to attacker-controlled infrastructure. Reported exfiltration destinations included 138.197.218[.]11, 138.68.19[.]94, 159.65.248[.]159, 206.188.197[.]125, and 64.190.113[.]100. For impact, Lorenz used Microsoft BitLocker Drive Encryption for widespread encryption by deploying a PowerShell script via remotely created scheduled tasks from a domain controller. The script modified HKLM\SOFTWARE\Policies\Microsoft\FVE registry keys, set a RecoveryKeyMessage containing a Lorenz Tor .onion negotiation URL, attempted to install the BitLocker feature, and enabled BitLocker with AES-256 using a plaintext password embedded in the script. The actor also sent HTTP POST requests to 206.188.197[.]125 to report encryption progress and cleared Windows event logs after encryption. In addition to BitLocker-based encryption, a small number of ESXi hosts were encrypted with Lorenz ransomware.
High-confidence indicators mentioned in the content include infrastructure at 137.184.181[.]252, 138.68.59[.]16, 138.197.218[.]11, 138.68.19[.]94, 159.65.248[.]159, 206.188.197[.]125, and 64.190.113[.]100; the webshell path /vhelp/pdf/en/pdf_import_export.php; exploitation-related requests to /scripts/vtest.php and /ucbsync.php; Chisel binary SHA-256 97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d; and webshell SHA-256 07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94. The content also notes Lorenz appeared only rarely in one ransomware trend dataset, with two incidents representing less than one percent of observed cases.
Ransomware.live
Operational record
Exploited software
Vulnerabilities linked to Lorenz
1 CVEsReporting
Research mentioning Lorenz
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace | Google Cloud Blog
"...an actor who ultimately deployed Lorenz ransomware..."
Dragos Industrial Ransomware Analysis: Q4 2023 | Dragos
Lorenz, Metaencryptor, Money message, Rhysida, Snatch, and Trigona: less than one percent each (2 incidents each)
Lorenz Ransomware Group Cracks MiVoice | Arctic Wolf
Arctic Wolf Labs ... investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.