Experts have warned that patching critical vulnerabilities may not be enough to stay protected from ransomware attacks. Some attackers, Lorenz ransomware in this case, have been observed planting backdoors and returning months later after being patched.
Lorenz ransomware
S-RM researchers have identified a Lorenz ransomware attack that was completed months after the attackers gained initial access to the victim's network.
They exploited CVE-2022-29499, a vulnerability in the Mitel telephony infrastructure.
The victim firm had applied the patch for this vulnerability in July 2022, however, the threat group abused the vulnerability and planted a backdoor before that.
The backdoor was left dormant until December 2022, when the attackers leveraged it to move laterally across the network, steal data, and encrypt systems.
Technical details
Attackers hid the backdoor by naming it twitter_icon_<ransom string> and placed it in a genuine location directory.
After five months, they used the backdoor and deployed the ransomware within 48 hours.
Implications of the delay
The long inactivity suggests that the ransomware group purchased its access to the network from a broker.
Alternatively, it is possible that the Lorenz ransomware group is very well-organized into separate branches. There is a dedicated branch that gets initial access and protects it against possible hijacking by other attackers until its attacking branch is ready to leverage it.
Conclusion
The Lorenz ransomware group is believed to be returning to old backdoors, checking access, and using them to launch ransomware attacks. To stay protected, experts suggest checking for any possible intrusion, besides updating software to the latest version in case any relevant critical zero-day vulnerability is discovered.