Cyber Threat Advisory: FiveHands Ransomware

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Shashank Jain

TLP: WHITE

 

1. Executive Summary

On 6 May, the Cybersecurity & Infrastructure Security Agency (CISA) published two analytic reports (AR21-126A1 and AR21-126B2) on a newly discovered ransomware variant named FiveHands. They include details of a recent cyberattack using FiveHands and provide information on the tactics, techniques and procedures (TTPs), as well as a malware analysis of the 18 files used by threat actors in this attack.

FireEye’s Mandiant team has labeled the threat actors behind this attack UNC2447.3 This sophisticated and financially-motivated group and its affiliates have been active since May 2020 and target organizations in Europe and North America. UNC2447 uses FiveHands ransomware to exfiltrate victim data and threaten the victim with media attention or with selling the stolen data on hacker forums if the victim does not pay the ransom.

UNC2447 used publicly available penetration testing and exploitation tools (eight identified), FiveHands ransomware (one binary), and the SombRAT (seven binaries) remote access trojan (RAT) to obfuscate files and steal victim information, as well as to demand a ransom payment from the victim organization. They also used publicly available tools such as PsExec.exe, Routerscan.exe, netscan, etc. for network discovery and credential access.

On 29 April, Mandiant published a report on the capability of SombRAT and FiveHands to exploit CVE-2021-20016 – a SonicWall VPN zero-day vulnerability – to deliver the ransomware payload and infect victim’s machines.

2. Analysis

According to the CISA report, threat actors gain access to the victim’s network by exploiting a zero-day vulnerability (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) 100 series remote access products. By crafting a special SQL query, an attacker can exploit the vulnerability to gain access to the login credentials and session information that can then be used to log into a vulnerable VPN server and further scan the network. This allows the attacker to gain access to a victim’s internal network, exploit machines using SombRAT and deliver the FiveHands ransomware.

The Mandiant report indicates that FiveHands uses an embedded NTRU public key that is SHA-512 hashed. The first 32 bytes of this key are used as the victim ID within the ransom note. The report also includes a technical comparison between FiveHands and similar ransomware variants such as HELLOKITTY and DEATHRANSOM.

3.  Prevention and Mitigation

Infoblox recommends patching the CVE-2021-20016 vulnerability to prevent the initial vector identified in the report. CISA recommends4 that organizations implement the following practices to strengthen the security posture of their systems:

  • Maintain up to date antivirus signatures and engines.
  • Keep operating system patches up to date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Implement multi-factor authentication (MFA), particularly on all VPN connections, external-facing services, and privileged accounts. Where MFA is not implemented, enforce a strong password policy and implement regular password changes.
  • Decommission unused VPN servers, which may act as a point of entry for attackers.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for – and remove – suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists (ACLs).

          3.1.  Indicators of Compromise

Below is a supplementary list of indicators related to this attack, according to OSINT. CISA published an extended list of indicators in their 6 May report.

Indicators

 Description

18229920a45130f00539405fecab500d8010ef93856e1c5bcabf5aa5532b3311 (RouterScan.exe)

2703aba98d6ecf0bf0b5aafe70edc4bc14d223a11021990bfb10acf5641d3a12 (ServeManager.exe)

3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef (PsExec.exe)

495a0ccc38fb8f22b48025f030617978cf5fdc3df3fed32b1410ad47747ae177 (rclone.exe)

4de1bd4b1bb28ed0897b9d3c5d16a4b1442c7f53cb389cbed82af189696d3f40 (WwanSvc.txt)

5608c12872229acd84f33bf6c667a1b43d112594b2b5f47f923d631bcce6090c (netscan.lic)

Hashes related to FiveHands Ransomware attack

5f312e137beb1ce75f8fdf03a59e1b3cba3dc57ccc16e48daee3ee52c08fa149 (s3browser-9-5-3.exe)

7d57e0ba8b36ec221b16807ce4e13a1125d53922fa50c3827a5ebd6811736ffd (grabff.exe)

911a88fe16efca24206f1786242615596e67a9336bc670c1e44a33727987d886 (WwanSvc.c__2)

a710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789 (netscan.exe)

a7f5097c0d991c9bbd5f2694ec8c9b484e2ab583d362c42c30556f1271cc8aaa (WwanSvc.a__2)

bfc50bf40aae3b41d77169fba45c332b8c60406b403af647f1bb083918a33b9e (59fb3174bb34e803)

c0a214a60daac6f0ba01ce9128d42bb2d8e81909f4b87963de340ab8627a6b0b (WwanSvc.b__2)

c5a1dbb49ff72a69ac7c52b18e57a21527bc381077b1cea12c3a40e9e98ae6cd (WwanSvc.b)

ccacf4658ae778d02e4e55cd161b5a0772eb8b8eee62fed34e2d8f11db2cc4bc (WwanSvc.bat)

d3d5e5a8a40f34fc8d89b2d74d89a4b101d8b95a79e990e3b4161282aa6aca32 (WwanSvc.c)

dec8655cdd7214daf9579ef481d0b0c6ed8120c120d3bd8ec27cb6e1874eb291 (WwanSvc.a)

e4b67b8ffcc1ed95d3ff26622ab4c67a329f76bd76d0f523f5986e67969354b7 (netscan.xml)

  

feticost[.]com

Domain related to FiveHands Ransomware attack
51[.]89[.]50[.]152

IP related to FiveHands Ransomware attack

Endnotes

  1. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
  2. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b
  3. https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
  4. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×