CISA MAR report provides technical details of FiveHands Ransomware

Pierluigi Paganini May 09, 2021

U.S. CISA has published an analysis of the FiveHands ransomware, the same malware that was analyzed a few days ago by researchers from FireEye’s Mandiant experts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the FiveHands ransomware that was recently detailed by FireEye’s Mandiant.

At the end of April, researchers from FireEye’s Mandiant revealed that a sophisticated cybercrime gang tracked as UNC2447 has exploited a zero-day issue (CVE-2021-20016) in SonicWall Secure Mobile Access (SMA) devices, fixed earlier this year, before the vendor addressed it.

The UNC2447 gang targeted organizations in Europe and North America using a broad range of malware over the past months. The malware employed by the group since November 2020, includes Sombrat, FiveHands, the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber. UNC2447 extortion activity employed the FIVEHANDS ransomware, the threat actors aggressively threatened victims to disclose their hack on the media to sell the data on hacker forums.

The Malware Analysis Report (MAR) published by Cybersecurity and Infrastructure Security Agency (CISA) includes detailed analysis of 18 malicious files submitted to CISA. One of the files is a new strain of ransomware, eight files are open-source penetration testing and exploitation tools which refers to as FiveHands, and the files are associated with the SombRAT RAT.

“CISA is aware of a recent successful cyberattack against an organization using FiveHands ransomware, SombRAT, and open-source tools to ultimately steal information, obfuscate files, and demand a ransom. For more information, refer to Analysis Report AR21-126A.” reads the Malware Analysis Report (AR21-126B) published by CISA.

The MAR includes suggested response actions and recommended mitigation techniques, to mitigate the risk of cyberattacks.

The malware will also encrypt files in the recovery folder at C:\Recovery, then it will write a ransom note to each folder and directory on the system called ‘read_me_unlock.txt’.

Threat actors employes the SombRAT as part of the attack to download and execution additional malicious payloads.

FiveHands ransomware uses a public key encryption scheme called NTRUEncrypt, it enumerates Volume Shadow copies with Windows Management Instrumentation (WMI) before deleting them to make it impossible data recovery.

The FiveHands ransomware is written in C++ and presents multiple similarities with the DeathRansom, and both malware strains show a connection to the HelloKitty ransomware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FiveHands ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment