Lorenz ransomware gang plant backdoors for use months later

Researchers warn that patching vulnerabilities that allow access to the network’s networks is not enough to protect against ransomware attacks.

Some criminal gangs exploit these flaws in order to create a backdoor. The window is still open and the opportunity may return even after victims have applied security updates.

Lorenz ransomware was one example. It reached its conclusion months after hackers had gained access to victim’s networks using an exploit that exploited a critical bug within a telephone system.

Before security updates, backdoor was planted

Researchers at S-RM, a global cyber security and intelligence consulting firm, discovered that hackers had infected the victim’s network for five months prior to moving laterally to steal data and encrypt the systems.

S-RM discovered that hackers had gained access to the Mitel Telephony Infrastructure critical vulnerability allows for remote code execution.

CrowdStrike Services discovered the security problem last year during an investigation into “a suspected ransomware intrusion attempt.” A was not yet available.

S-RM researchers discovered that their client applied CVE-20222-29499’s patch in July. However, Lorenz ransomware hackers moved quicker and exploited that vulnerability and created a backdoor a week prior to the fix.

They exploited two vulnerabilities in Mitel PHP pages located on CentOS systems on the network perimeter. This allowed them to obtain a web shell from the infrastructure, and then install it on the system.” –

Even though there were no exposed pages on the system, the forensic analysis showed that these pages were last accessed by the threat actor’s webshell when it was installed on the victim machine.

Hackers tried to conceal the backdoor by calling it Twitter_icon_ransom strings> and placing it in an authorized location directory.

A web shell is one line of PHP code. It listens to HTTP POST requests and has two parameters. “id” acts as a username for system access. “img” includes commands.

PHP web shell planted by Lorenz ransomware under the name “twitter_icon_”


The web shell remained dormant for five months on the victim’s network. The hackers had the nerve to attack the victim network again, so they created a backdoor and distributed the Lorenz ransomware within 48 hours.

Before applying a critical bug fix, make sure you have checked for intruders

According to S-RM researchers, the prolonged inactivity could indicate that ransomware groups purchased access from brokers.

One theory suggests that Lorenz’s gang has a branch dedicated to securing initial access, and protecting it from possible hijacking by intruders.

S-RM researchers Tim Geschwindt and Ailsa Wool said that threats actors often take advantage of a vulnerability in order to compromise unpatched systems and then return to the site to carry out the attack.

They believe Lorenz “is actively returning to backdoors old, checking that they are still accessible and using them for ransomware attacks.”

The researchers also note that while updating to the most current version of software is important for network security, it’s not enough. Companies should check the environment for possible exploit attempts or intrusions in case there are critical vulnerabilities.

Logs can be reviewed to look for unusual behavior or access, as well as network monitoring data. This could help uncover an intrusion that will survive security updates.