Each and every day there is a new ransomware attack.  Well, more like there are many many ransomware attacks each and every dayRecently, Lorenz Ransomware has been all over the news.  While they have been around since 2020, we have heard new things about them over the last two years.  Their latest attack has them back in the news again.  Let’s take a closer look at Lorenz Ranosmware, and see what they have in store for their victims.

Lorenz Ransomware Group

Like many ransomware groups, Lorenz operates under the double extortion model.  Data is encrypted, to try to force victims to pay the ransom.  Data is also exfiltrated or stolen, to once again try to force victims to pay the ransom.  Let’s take a closer look at some of the things that make this ransomware organization unique.

This particular ransomware group was first observed in 2020, and also has a reputation for selling stolen data to other organizations.  This is a tactic they use to, of course, convince victims to pay.  If random is not paid, they begin to release archives of the stolen data.  If that wasn’t bad enough, Lorenz also sells access to the victim’s network.

Neither of these are good, and make for an especially nasty attack.  While there is a free decryptor available when it comes to encryption, there is still the risk of sensitive data being leaked, even if you can recover the infected files.

While all of this is interesting and notable, this is not why Lorenz is in the news lately.

Lorenz in The News 2022

Thanks to our friends at Arctic Wolf Labs, we now know Lorenz has a new trick up their sleeves.  Arctic Wolf Labs believes that Lorenz has exploited CVE-2022-29499, which impacts Mitel’s MiVoice Connect product.  Yes, you read that right, we’re dealing with some old school phone phreaking brought into 2022.  Remember, this is also a group that has a history of selling access to victims networks, and this vulnerability makes it even easier to get in for them.

Another interesting aspect of what was observed by Lorenz is after they gained access to the device they did…nothing.  After initial exploration, Mitel waited a month to come back and continue with accessing the environment.

This vulnerability and mitigation patches were released in June of 2022.  Again, while vendors provide the necessary remediation, that does not mean that organizations always implement them in a timely fashion.

There is also a huge focus on monitoring the most critical assets for signs of ransomware or compromise.  While that is a step in the right direction, the fact remains that anything running an operating system can be vulnerable, and anything running an operating system can be exploited – especially when it is on the Internet.

There has been a shift in recent months to threat actors doing just this, and this Lorenz news is a great example of going after lesser monitored (and often lesser maintained) systems.

This just proves that threat actors are always finding new and innovative ways to get into their victim’s environments, and it is our job to stay ahead of them.  Unfortunately this is no easy task, especially with the size and sprawl of many cooperate IT environments these days.

It all comes back to good security hygiene, and staying up to date on the latest threats.

Looking for some more information on some of the latest ransomware threats out there?  Check out these articles.

REvil Ransomware in Review

Maui Ransomware

Ransomware In the News: Hello XD

While you can’t 100% prevent a ransomware attack, the time is now to put things into place to be ready to recover from the attack tomorrow.