{ "id": "2b76e4fa-52fc-4363-bd1b-409da97cc707", "created_at": "2026-04-06T00:15:59.723136Z", "updated_at": "2026-04-10T03:32:24.801708Z", "deleted_at": null, "sha1_hash": "b830e3ee8e5029495de5d708575d8b7e7a03f2f3", "title": "Lorenz Abuses Magnet RAM Capture | Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 180050, "plain_text": "Lorenz Abuses Magnet RAM Capture | Arctic Wolf\r\nBy Steven Campbell, Ross Phillips, Seth Battles, and Markus Neis\r\nPublished: 2023-02-23 · Archived: 2026-04-05 19:51:20 UTC\r\nExecutive Summary \r\nAs organizations implement additional security controls and detections, threat actors adjust to bypass them. Since our initial\r\ninvestigation into a Lorenz ransomware intrusion that exploited a Mitel MiVoice VoIP appliance, we have observed a shift in\r\nthe group’s Tactics, Techniques, and Procedures (TTPs).\r\nThe Arctic Wolf Labs team recently investigated additional Lorenz ransomware intrusions, which also exploited a Mitel\r\nMiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access. In at least one case in late-2022, we observed\r\nthe threat actors leveraging a compromised VPN account to regain access to the victim’s environment and execute Magnet\r\nRAM Capture—a free tool that is typically used by law enforcement and forensic teams to capture the physical memory of a\r\nvictim’s device—on a Mitel Digital Voicemail system (running Microsoft Windows Server 2016). The threat actors\r\nleveraged Magnet RAM Capture to bypass the victim’s EDR (Endpoint Detection and Response). Arctic Wolf Labs has\r\ninformed Magnet Forensics about the known abuse of their tool by the Lorenz group.\r\nWe have published a compiled list of Indicators of Compromise (IOCs) and related artifacts we observed in this intrusion to\r\nour GitHub here. Also included in our GitHub are Sigma and YARA rules that our team developed to assist defenders in\r\ndetecting unexpected use of Magnet RAM capture on their hosts.\r\nNote: Arctic Wolf Labs has deployed detections in our platform to identify potential malicious activity associated with the\r\nLorenz ransomware group, including the TTPs mentioned in this blog.\r\nKey Findings\r\nThe Lorenz ransomware group targeted the same victim and adapted their TTPs to successfully bypass security\r\ncontrols when the first attempt was not successful.\r\nThis is the first Lorenz ransomware intrusion publicly documented where the threat actors leveraged Magnet RAM\r\nCapture to dump memory.\r\nSubstantive Analysis\r\nIn at least one intrusion, the Lorenz ransomware group was not able to start the encryption process due to their registry\r\nmodification attempts and PowerShell commands being blocked by the EDR. The techniques and procedures in this\r\nintrusion were almost identical to the Lorenz ransomware case we investigated in September 2022.\r\nWe observed the use of the Chisel tunneling tool, dumping of LSASS, and encryption attempts via BitLocker Drive\r\nEncryption. Notably, data exfiltration did not occur until the threat actors noticed their PowerShell commands were being\r\nprevented by security controls. Approximately two hours after unsuccessful data encryption, we observed the threat actors\r\ndownload and execute FileZilla on multiple systems to exfiltrate as much data as possible. Like other Lorenz intrusions, the\r\nthreat actors exfiltrated the data to Digital Ocean IP addresses.\r\nHowever, data exfiltration and extortion were not enough for Lorenz, and approximately a month later, the threat actors\r\nleveraged compromised VPN credentials to regain access. The compromised VPN credentials were tied to a vendor account\r\nused to service the Mitel infrastructure, which were obtained via activity from the previous incident when the credentials\r\nhad been reset but set to “User must change password at next logon,” which prompted the threat actors to change the\r\npassword when logging in via the vendor account.\r\nUltimately this access allowed Lorenz to pivot into the Mitel environment and set up Chisel as a SOCKS proxy as well as\r\nobtaining additional credentials and creating accounts for persistence.\r\nOperating within kernel mode gives an adversary access to the most privileged areas of an operating system. To obtain\r\nkernel-level privileges threat actors often leverage a technique known as “Bring Your Own Vulnerable Driver” (BYOVD).\r\nBYOVD allows a threat actor full kernel memory read and write operations and gives them the ability to evade endpoint\r\nsecurity solutions by removing telemetry sources. Multiple threat actors have leveraged BYOVD to bypass and disable\r\nendpoint security solutions, including Lazarus,  AvosLocker, and BlackByte.\r\nWell-known vulnerable driver exploits are easily detected by most EDRs, forcing advanced threat actors to research kernel\r\ndriver vulnerabilities and develop exploits, which can be a time-consuming and tedious task.\r\nLorenz, however, did not use a vulnerability to gain kernel access; instead, they leveraged Magnet RAM Capture, a user-mode application which comes equipped with a signed kernel driver, like many other RAM acquisition tools, to directly\r\naccess the physical memory. The use of Magnet RAM Capture allowed the threat actor to bypass the EDR on the victim host\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 1 of 6\n\nand enabled them to obtain a memory dump of the host. Although a RAM capture is not completely structured, threat actors\r\ncan extract sensitive information like credentials via readily available memory forensics tools.\r\nExample of obtaining credentials from RAM Capture\r\nConclusion\r\nThe Lorenz ransomware group consistently shows inventive ways to achieve their objectives. This added technique\r\ndemonstrates how the Lorenz threat actors are willing to adjust their TTPs to evade security controls. In this case, they relied\r\non a known RAM Capture tool to bypass an EDR solution.\r\nMany security vendors provide free tools to help security professionals perform better research and security investigations.\r\nEven with access controls, threat actors will continue to find ways to obtain and abuse legitimate tools to bypass security\r\ncontrols.\r\nRecommendations\r\nEnsure Secure Password Reset After a Compromise\r\nWhen leveraging the “User must change password at next logon” ensure all accounts that received the prompt have\r\nsuccessfully changed their password and logged in; this includes user, service, and vendor accounts.\r\nIf not, threat actors could leverage previously compromised credentials to reset the password and obtain access again,\r\nnegating the password reset. Administrators should also understand all accounts tied to the service so that all resets can be\r\ntracked and recorded.\r\nFor user or vendor accounts that are tied to individuals outside of your organization, consider not using the “User must\r\nchange password at next logon” feature. Instead, reset the password directly with a new value and send the password to the\r\naccount holder out of band. Ensure the user resets the password upon logging in to the account.\r\nImplement Multi-factor Authentication\r\nImplement multi-factor authentication (MFA) wherever possible within your environment, especially VPN accounts. Multi-factor authentication reduces the impact leaked or compromised credentials have on an organization.\r\nConduct Network and Host Baselines to aid in Monitoring of Malicious Traffic and Binaries\r\nUnderstanding your environment can help you identify malicious traffic and binaries in a more efficient manner. For\r\nexample, if your organization does not use Magnet RAM Capture for legitimate business purposes or there is no purpose for\r\nit to be present on a target system, the use of the binary could potentially be a good indicator that malicious activity is\r\npresent in your environment. Understanding your environment’s baseline and approved software will ensure malicious\r\nactivity is caught earlier in the kill chain.\r\nAudit or Block Unwanted Drivers using Windows Defender Application Control (WDAC)\r\nOrganizations can consider auditing or blocking unwanted drivers via Windows Defender Application Control (WDAC).\r\nMicrosoft has detailed many methods of restricting unwanted drivers in their “Microsoft recommended driver block rules”\r\narticle.\r\nDetection Opportunities\r\nMultiple detection opportunities exist and below we provide a subset based on the Magnet RAM Capture sample observed\r\nduring the Lorenz intrusion:\r\nSHA256 72dc1ba6ddc9d572d70a194ebdf6027039734ecee23a02751b0b3b3c4ea430de\r\nThe Arctic Wolf Labs team has developed Sigma and YARA rules that can assist defenders in detecting unexpected use of\r\nMagnet RAM capture on their hosts.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 2 of 6\n\nNote: Arctic Wolf Labs has deployed detections in our platform to identify potential malicious activity associated with the\r\nLorenz ransomware group, including the TTPs mentioned in this blog.\r\nHunting for Execution\r\nMagnet RAM Capture requires admin privileges and can either be executed via GUI or the command line.\r\nBoth types of execution can be identified by leveraging PE header metadata for process execution events, as these details\r\nhave been defined by Magnet Forensics and have been consistent over various identified versions of the tool.\r\nExample Process Create Event\r\nProcess Create:\r\nDescription: Magnet RAM Capture\r\nProduct: Magnet RAM Capture\r\nCompany: Magnet Forensics Inc.\r\nOriginalFileName: MRC.exe\r\nIf execution is done via the command line, defenders can monitor for Magnet RAM Capture parameter invocations.\r\nParameter Description\r\n/accepteula* Accepts the EULA (no user interaction required)\r\n/go*\r\n\u003coptional output path, including output file name\u003e – No user input required; start RAM capture\r\nimmediately, saving to a .raw file in the current folder unless a path is provided (if the path contains\r\nspaces, use quotes around the entire path).\r\n/split  \r\n500MB|1GB|2GB|4GB – Split the RAM capture into segments of 500MB, 1GB, 2GB, or 4GB (e.g.\r\n/split 2GB) – requires /go parameter.\r\n/silent* Captures RAM in the background; no interface or progress displayed – requires /go parameter.\r\n/? This help screen\r\nSource: Magnet RAM Capture\r\n*Required parameters to successfully invoke Magnet RAM capture via command line.\r\nExample Process Create Event\r\nProcess Create:\r\nCommandLine: \"C:\\\u003cSNIP\u003e\\\u003cmagnet_path\u003e\\magnet.exe\" /silent /go debug.raw /accepteula\r\nDriver Load\r\nThe Magnet RAM capture main executable contains multiple signed drivers for various CPU architectures within its PE\r\nresources. A driver for the correct architecture is dropped into the same directory from where the tool was executed with a\r\n.tmp extension.\r\nExample Driver Load Event\r\nDriver loaded:\r\nImageLoaded: C:\\\u003cSNIP\u003e\\\u003cmagnet_path\u003e\\magA46.tmp\r\nHashes:\r\nMD5=35AEF87E63302FB7273870CFF3117279\r\nSHA256=5FFF657939E757922941162376ADB86B7A37DC329A1F9969C70F23E7D54B7B4C\r\nIMPHASH=99ABE3BC6F5A07246949FFC36BC1F543\r\nSigned: true\r\nSignature: Magnet Forensics Inc.\r\nSignatureStatus: Valid\r\nWe have extracted the drivers and recommend detecting on driver load events that contain any of the values seen below:\r\nSHA256 MD5 SHA1\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 3 of 6\n\n5FFF657939E757922941162376ADB86B7A37DC329A1F9969C70F23E7D54B7B4C 35AEF87E63302FB7273870CFF3117279 68DBA\r\nC0CAFFD00B9576725ACF9DBE15AF8FC64EA000CB527F1FBCAA3CBDCF52C99152 F6D77EF0B07B6FFF1B91357C890DCF88 5D798\r\n3766619B7564F84185CF8CC952EE5513C45C6D858EF971C5FD1B0BDF234B8BAA FFDC58CD04A6E6295725F1C9B9C0D0CE CB330\r\n654629028CF878126A25B8449B5F1AC4D828B5ADC03BB393062D46415A78F39B 1DD0E3E168B5B4704583B59E0F5A63A2 B7C36\r\nService Creation\r\nMagnet Ram Capture creates a kernel driver service with a service name consisting of the FileDescription name of the driver\r\nthat is used with an ImagePath pointing to a .tmp file which is the signed driver that gets written into the same directory\r\nfrom where the tool was executed.\r\nWindows Event ID 7045\r\nServiceName: MagnetRAMCapture Driver\r\nImagePath: C:\\\u003cSNIP\u003e\\\u003cmagnet_path\u003e\\mag7E01.tmp\r\nServiceType: kernel mode driver\r\nStartType: demand start\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\n138.68.62[.]46\r\nIP\r\nAddress\r\nData\r\nexfiltration\r\nvia FileZilla\r\n192.241.152[.]84\r\nIP\r\nAddress\r\nChisel\r\nTunnel\r\n138.68.50[.]118\r\nIP\r\nAddress\r\nChisel\r\nTunnel\r\n206.189.198[.]191\r\nIP\r\nAddress\r\nData\r\nExfiltration\r\nvia FileZilla\r\n23.28.148[.]190\r\nIP\r\nAddress\r\nUsed to\r\nconnect to\r\nthe victim’s\r\nSSL VPN\r\n45.61.136[.]141\r\nIP\r\nAddress\r\nUsed to\r\nconnect to\r\nthe victim’s\r\nSSL VPN\r\n97FF99FD824A02106D20D167E2A2B647244712A558639524E7DB1E6A2064A68D SHA256\r\nChisel\r\nTunnel**\r\n72DC1BA6DDC9D572D70A194EBDF6027039734ECEE23A02751B0B3B3C4EA430DE SHA256\r\nMagnet\r\nRAM\r\nCapture*\r\n5FFF657939E757922941162376ADB86B7A37DC329A1F9969C70F23E7D54B7B4C SHA256\r\nSigned\r\nDriver used\r\nby Magnet\r\nRAM\r\nCapture\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 4 of 6\n\nC:\\Users\\MRCv120.exe Filepath\r\nMagnet\r\nRAM\r\nCapture*\r\nMagnetRAMCapture.sys Filename\r\nPE Original\r\nName of\r\nSigned\r\nDriver used\r\nby Magnet\r\nRAM\r\nCapture\r\ndebug.raw Filename\r\nObserved\r\nname for\r\nRAM\r\ncapture\r\noutput\r\n\\tmp\\.tmp\\mem Filepath\r\nChisel\r\nTunnel\r\n* Magnet RAM Capture can be used for legitimate purposes. We recommend leveraging the hash values to hunt for potential\r\nmalicious activity, but also leverage environment context to make a determination on the legitimacy of the tools in your\r\nenvironment.\r\n** Chisel can be used for legitimate purposes. However, in most instances that Arctic Wolf Labs has observed the tool has\r\nbeen used for malicious activity. We recommend leveraging the hash values to hunt for potential malicious activity, but also\r\nleverage environment context to make a determination on the legitimacy of the tools in your environment.\r\nMITRE ATT\u0026CK Matrix\r\nTactic ID Name Details\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nLorenz exploited CVE-2022-29499 on an\r\nexposed Mitel device, achieving Remote Code\r\nExecution (RCE).\r\nPersistence T1078 Valid Accounts\r\nThe threat actors leveraged compromised VPN\r\ncredentials to regain access.\r\nThe threat actors created an additional account\r\non the Mitel Digital Voicemail system.\r\nCommand \u0026\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nLorenz set up a SOCKS proxy via Chisel on the\r\nMitel device.\r\nCredential\r\nAccess\r\nT1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nThe threat actors dumped LSASS memory.\r\nThe threat actors used Magnet RAM capture to\r\nacquire a physical memory dump.\r\nT1003.002\r\nT1003.004\r\nOS Credential Dumping:\r\nSecurity Account Manager\r\nOS Credential Dumping:\r\nLSA Secrets\r\nThe threat actors used Magnet RAM Capture to\r\nacquire a physical memory dump.\r\nExecution T1059.001\u003c/a\r\nCommand and Scripting\r\nInterpreter: Powershell\r\nLorenz executed multiple Powershell commands\r\nthat were prevented by the EDR.\r\nData\r\nExfiltration\r\nT1048.002\r\nExfiltration Over Alternative\r\nProtocol:\r\nExfiltration Over Asymmetric\r\nEncrypted Non-C2 Protocol\r\nThe threat actors exfiltrated data via FileZilla.\r\nDefense\r\nEvasion\r\nT1553.002\r\nSubvert Trust Controls: Code\r\nSigning\r\nMagnet RAM Capture comes with a signed\r\ndriver that allowed the threat actor to bypass the\r\nEDR.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 5 of 6\n\nNote: To download a full listing of IOCs, artifacts, and detections for mentioned in this blog, refer to our GitHub here.\r\nFor additional recommendations and insights regarding Lorenz ransomware, check out our first blog, Chiseling In: Lorenz\r\nRansomware Group Cracks MiVoice And Calls Back For Free, published on September 12, 2022.\r\nReferences\r\n1. https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002\r\n2. https://github.com/jpillora/chisel\r\n3. https://filezilla-project.org/\r\n4. https://www.magnetforensics.com/resources/magnet-ram-capture/\r\n5. https://www.microsoft.com/en-us/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/\r\n6. https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\r\n7. https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/\r\n8. https://insights.s-rminform.com/lorenz-cyber-intelligence-briefing-special\r\n9. https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\r\n10. https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nBy Steven Campbell, Ross Phillips, Seth Battles, Markus Neis\r\nSteven Campbell | Senior Threat Intelligence Researcher\r\nSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience\r\nin intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.\r\nRoss Phillips | Senior Threat Intelligence Researcher\r\nRoss is a Sr. Threat Intelligence Researcher at Arctic Wolf Labs with almost a decade of experience in the security\r\nlandscape. Prior to this, Ross worked as a Technical Lead for the Arctic Wolf SOC and an Internal Tech Resident at Google\r\nafter graduating from Rochester Institute of Technology in 2012 majoring in Information Security \u0026 Forensics.\r\nSeth Battles | Senior Forensics Analyst\r\nSeth Battles is a Senior Forensics Analyst with Arctic Wolf Incident Response. He has years of experience in various facets\r\nof security operations, with a focus on incident response. His technical proficiencies include Digital Forensics, Exploit\r\nanalysis, and Offensive Security.\r\nMarkus Neis | Principal Threat Intelligence Researcher\r\nMarkus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research.\r\nHe has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.\r\nSource: https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/" ], "report_names": [ "lorenz-ransomware-getting-dumped" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b830e3ee8e5029495de5d708575d8b7e7a03f2f3.pdf", "text": "https://archive.orkl.eu/b830e3ee8e5029495de5d708575d8b7e7a03f2f3.txt", "img": "https://archive.orkl.eu/b830e3ee8e5029495de5d708575d8b7e7a03f2f3.jpg" } }