The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption. Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.
ADVERSARY: Lorenz
TARGETED COUNTRY: United States of America
ATT&CK IDS: T1049 - System Network Connections Discovery, T1560 - Archive Collected Data, T1003 - OS Credential Dumping, T1016 - System Network Configuration Discovery, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1048 - Exfiltration Over Alternative Protocol, T1053 - Scheduled Task/Job, T1059 - Command and Scripting Interpreter, T1070 - Indicator Removal on Host, T1078 - Valid Accounts, T1083 - File and Directory Discovery, T1090 - Proxy, T1095 - Non-Application Layer Protocol, T1112 - Modify Registry, T1190 - Exploit Public-Facing Application, T1486 - Data Encrypted for Impact, T1505 - Server Software Component, T1518 - Software Discovery, T1529 - System Shutdown/Reboot, T1573 - Encrypted Channel, T1587 - Develop Capabilities, T1588 - Obtain Capabilities
Read More:
Comments