Lorenz is a ransomware/extortion malware family and associated intrusion set observed in enterprise compromises. In the provided reporting, Arctic Wolf Labs investigated a Lorenz intrusion in which the actor exploited CVE-2022-29499, a remote code execution vulnerability in the Mitel MiVoice Connect Service Appliance, to gain initial access through an exposed VoIP appliance. Observed exploitation included GET requests to /scripts/vtest.php and /ucbsync.php, followed by use of cURL to download a shell script (wc2_deploy) from 137.184.181[.]252 that established an SSL-encrypted reverse shell to 137.184.181[.]252:443. The actor then used the Mitel CLI to create a hidden directory, downloaded the Chisel tunneling tool from GitHub, renamed it to mem, and used it to pivot into the victim network over https://137.184.181[.]252:8443; later activity re-established reverse shell and Chisel infrastructure via 138.68.59[.]16 on ports 443 and 8443.
For persistence, the actor used a webshell named pdf_import_export.php placed at /vhelp/pdf/en/ on the Mitel device. The webshell accepted triple-base64-encoded commands via HTTP POST and returned triple-base64-encoded output. Post-compromise activity relied heavily on living-off-the-land techniques and common offensive tooling. Lorenz used CrackMapExec through the SOCKS tunnel, including the lsassy module to dump LSASS credentials via comsvcs.dll MiniDump, and also used a PowerShell Out-Minidump technique abusing Windows Error Reporting. Discovery activity included certutil to identify Active Directory Certificate Authorities, as well as netsh, ipconfig, netstat, recursive directory listing, and findstr searches for password-related strings. The actor obtained privileged local administrator and domain administrator credentials and moved laterally via RDP, including access to a domain controller.
Before encryption, Lorenz exfiltrated data using FileZilla over SSH/SFTP to attacker-controlled infrastructure. Reported exfiltration destinations included 138.197.218[.]11, 138.68.19[.]94, 159.65.248[.]159, 206.188.197[.]125, and 64.190.113[.]100. For impact, Lorenz used Microsoft BitLocker Drive Encryption for widespread encryption by deploying a PowerShell script via remotely created scheduled tasks from a domain controller. The script modified HKLM\SOFTWARE\Policies\Microsoft\FVE registry keys, set a RecoveryKeyMessage containing a Lorenz Tor .onion negotiation URL, attempted to install the BitLocker feature, and enabled BitLocker with AES-256 using a plaintext password embedded in the script. The actor also sent HTTP POST requests to 206.188.197[.]125 to report encryption progress and cleared Windows event logs after encryption. In addition to BitLocker-based encryption, a small number of ESXi hosts were encrypted with Lorenz ransomware.
High-confidence indicators mentioned in the content include infrastructure at 137.184.181[.]252, 138.68.59[.]16, 138.197.218[.]11, 138.68.19[.]94, 159.65.248[.]159, 206.188.197[.]125, and 64.190.113[.]100; the webshell path /vhelp/pdf/en/pdf_import_export.php; exploitation-related requests to /scripts/vtest.php and /ucbsync.php; Chisel binary SHA-256 97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d; and webshell SHA-256 07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94. The content also notes Lorenz appeared only rarely in one ransomware trend dataset, with two incidents representing less than one percent of observed cases.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...deployed Lorenz ransomware... exploiting a novel remote code execution (RCE) flaw on Mitel's MiVoice Connect VOIP appliance (CVE-2022-29499).
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family listed among active groups impacting industrial organizations in Q4 2023.
Ransomware family used by the Lorenz group for double-extortion: initial access via Mitel MiVoice Connect RCE (CVE-2022-29499), persistence via a webshell, credential dumping (LSASS), data exfiltration (FileZilla/SFTP), and encryption primarily via BitLocker plus Lorenz ransomware on some ESXi hosts.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.