Author: Shashank Jain
1. Executive Summary
On 6 May, the Cybersecurity & Infrastructure Security Agency (CISA) published two analytic reports (AR21-126A1 and AR21-126B2) on a newly discovered ransomware variant named FiveHands. They include details of a recent cyberattack using FiveHands and provide information on the tactics, techniques and procedures (TTPs), as well as a malware analysis of the 18 files used by threat actors in this attack.
FireEye’s Mandiant team has labeled the threat actors behind this attack UNC2447.3 This sophisticated and financially-motivated group and its affiliates have been active since May 2020 and target organizations in Europe and North America. UNC2447 uses FiveHands ransomware to exfiltrate victim data and threaten the victim with media attention or with selling the stolen data on hacker forums if the victim does not pay the ransom.
UNC2447 used publicly available penetration testing and exploitation tools (eight identified), FiveHands ransomware (one binary), and the SombRAT (seven binaries) remote access trojan (RAT) to obfuscate files and steal victim information, as well as to demand a ransom payment from the victim organization. They also used publicly available tools such as PsExec.exe, Routerscan.exe, netscan, etc. for network discovery and credential access.
On 29 April, Mandiant published a report on the capability of SombRAT and FiveHands to exploit CVE-2021-20016 – a SonicWall VPN zero-day vulnerability – to deliver the ransomware payload and infect victim’s machines.
According to the CISA report, threat actors gain access to the victim’s network by exploiting a zero-day vulnerability (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) 100 series remote access products. By crafting a special SQL query, an attacker can exploit the vulnerability to gain access to the login credentials and session information that can then be used to log into a vulnerable VPN server and further scan the network. This allows the attacker to gain access to a victim’s internal network, exploit machines using SombRAT and deliver the FiveHands ransomware.
The Mandiant report indicates that FiveHands uses an embedded NTRU public key that is SHA-512 hashed. The first 32 bytes of this key are used as the victim ID within the ransom note. The report also includes a technical comparison between FiveHands and similar ransomware variants such as HELLOKITTY and DEATHRANSOM.
3. Prevention and Mitigation
Infoblox recommends patching the CVE-2021-20016 vulnerability to prevent the initial vector identified in the report. CISA recommends4 that organizations implement the following practices to strengthen the security posture of their systems:
- Maintain up to date antivirus signatures and engines.
- Keep operating system patches up to date.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Implement multi-factor authentication (MFA), particularly on all VPN connections, external-facing services, and privileged accounts. Where MFA is not implemented, enforce a strong password policy and implement regular password changes.
- Decommission unused VPN servers, which may act as a point of entry for attackers.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
- Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for – and remove – suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
- Scan all software downloaded from the internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate access control lists (ACLs).
3.1. Indicators of Compromise
Below is a supplementary list of indicators related to this attack, according to OSINT. CISA published an extended list of indicators in their 6 May report.
Hashes related to FiveHands Ransomware attack
Domain related to FiveHands Ransomware attack
IP related to FiveHands Ransomware attack