{"id":6308,"date":"2021-05-10T16:15:22","date_gmt":"2021-05-10T23:15:22","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6308"},"modified":"2024-04-26T13:20:43","modified_gmt":"2024-04-26T20:20:43","slug":"cyber-threat-advisory-fivehands-ransomware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-fivehands-ransomware\/","title":{"rendered":"Cyber Threat Advisory: FiveHands Ransomware"},"content":{"rendered":"

Author: Shashank Jain<\/h3>\n

TLP: WHITE<\/h3>\n

 <\/p>\n

1. Executive Summary<\/h3>\n

On 6 May, the Cybersecurity & Infrastructure Security Agency (CISA) published two analytic reports (AR21-126A1<\/sup> and AR21-126B2<\/sup>) on a newly discovered ransomware variant named FiveHands. They include details of a recent cyberattack using FiveHands and provide information on the tactics, techniques and procedures (TTPs), as well as a malware analysis of the 18 files used by threat actors in this attack.<\/p>\n

FireEye\u2019s Mandiant team has labeled the threat actors behind this attack UNC2447.3<\/sup> This sophisticated and financially-motivated group and its affiliates have been active since May 2020 and target organizations in Europe and North America. UNC2447 uses FiveHands ransomware to exfiltrate victim data and threaten the victim with media attention or with selling the stolen data on hacker forums if the victim does not pay the ransom.<\/p>\n

UNC2447 used publicly available penetration testing and exploitation tools (eight identified), FiveHands ransomware (one binary), and the SombRAT (seven binaries) remote access trojan (RAT) to obfuscate files and steal victim information, as well as to demand a ransom payment from the victim organization. They also used publicly available tools such as PsExec.exe, Routerscan.exe, netscan, etc. for network discovery and credential access.<\/p>\n

On 29 April, Mandiant published a report on the capability of SombRAT and FiveHands to exploit CVE-2021-20016 – a SonicWall VPN zero-day vulnerability – to deliver the ransomware payload and infect victim\u2019s machines.<\/p>\n

2. Analysis<\/h3>\n

According to the CISA report, threat actors gain access to the victim’s network by exploiting a zero-day vulnerability (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) 100 series remote access products. By crafting a special SQL query, an attacker can exploit the vulnerability to gain access to the login credentials and session information that can then be used to log into a vulnerable VPN server and further scan the network. This allows the attacker to gain access to a victim\u2019s internal network, exploit machines using SombRAT and deliver the FiveHands ransomware.<\/p>\n

The Mandiant report indicates that FiveHands uses an embedded NTRU public key that is SHA-512 hashed. The first 32 bytes of this key are used as the victim ID within the ransom note. The report also includes a technical comparison between FiveHands and similar ransomware variants such as HELLOKITTY and DEATHRANSOM.<\/p>\n

3.\u00a0 Prevention and Mitigation<\/h3>\n

Infoblox recommends patching the CVE-2021-20016 vulnerability to prevent the initial vector identified in the report. CISA recommends4<\/sup> that organizations implement the following practices to strengthen the security posture of their systems:<\/p>\n