Lorenz targets victims using customized executable code, expressly tailored to the targeted organization. HC3 notes that the tactic implies the actors will maintain persistent access for reconnaissance “for an extended period of time” before deploying the ransomware payload. The typical pattern begins with initial access, then reconnaissance and lateral movement to connected devices, with the primary purpose of finding a Windows domain controller to obtain administrator credentials. Their code also enables multiple program threads to share resources, while preventing multiple instances of Lorenz running concurrently. Further, each file encrypted with the ransomware uses a randomly generated password and its encryption key is generated with the CryptDeriveKey function. The alert also shows that in one observed instance, Lorenz was “identified exploiting a vulnerability in the Mitel Service Appliance component of MiVoice Connect (CVE-2022-29499).”
Enterprise delivery organizations are urged to bolster defenses around the four key attack vectors known to be used by Lorenz, including phishing attacks, exploits of known vulnerabilities and remote access technologies, “especially RDP”, and distributed cyberattacks, “especially supply chain and Managed Service Provider compromise.”
https://www.scmagazine.com/analysis/ransomware/enterprise-healthcare-providers-warned-of-lorenz-ransomware-threat?&web_view=true
