CISA MAR report provides technical details of FiveHands Ransomware

cisa Known Exploited Vulnerabilities RESURGE

U.S. CISA has published an analysis of the FiveHands ransomware, the same malware that was analyzed a few days ago by researchers from FireEye’s Mandiant experts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the FiveHands ransomware that was recently detailed by FireEye’s Mandiant.

At the end of April, researchers from FireEye’s Mandiant revealed that a sophisticated cybercrime gang tracked as UNC2447 has exploited a zero-day issue (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) devices, fixed earlier this year, before the vendor addressed it.

The UNC2447 gang targeted organizations in Europe and North America using a broad range of malware over the past months. The malware employed by the group since November 2020, includes Sombrat, FiveHands, the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber. UNC2447 extortion activity employed the FIVEHANDS ransomware, the threat actors aggressively threatened victims to disclose their hack on the media to sell the data on hacker forums.

The Malware Analysis Report (MAR) published by Cybersecurity and Infrastructure Security Agency (CISA) includes detailed analysis of 18 malicious files submitted to CISA. One of the files is a new strain of ransomware, eight files are open-source penetration testing and exploitation tools which refers to as FiveHands, and the files are associated with the SombRAT RAT.

“CISA is aware of a recent successful cyberattack against an organization using FiveHands ransomware, SombRAT, and open-source tools to ultimately steal information, obfuscate files, and demand a ransom. For more information, refer to Analysis Report AR21-126A.” reads the Malware Analysis Report (AR21-126B) published by CISA.

The MAR includes suggested response actions and recommended mitigation techniques, to mitigate the risk of cyberattacks.

The malware will also encrypt files in the recovery folder at C:\Recovery, then it will write a ransom note to each folder and directory on the system called ‘read_me_unlock.txt’.

Threat actors employes the SombRAT as part of the attack to download and execution additional malicious payloads.

FiveHands ransomware uses a public key encryption scheme called NTRUEncrypt, it enumerates Volume Shadow copies with Windows Management Instrumentation (WMI) before deleting them to make it impossible data recovery.

The FiveHands ransomware is written in C++ and presents multiple similarities with the DeathRansom, and both malware strains show a connection to the HelloKitty ransomware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FiveHands ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.