A financially motivated threat actor took advantage of a zero-day bug in the Sonicwall SMA 100 series VPN devices to deploy a new ransomware known as FiveHands on the targets’ networks in North America and Europe.
The group, tracked by Mandiant threat analysts as UNC2447, exploited the CVE – 2021‑20016 Sonicwall vulnerability to breach networks and deploy FiveHands ransomware payloads before patches were released in late February 2021.
Before implementing the ransomware payloads, UNC2447 was also observed to use Cobalt Strike implants to gain persistence and install a SombRAT rear door variant, a malware first detected in CostaRicto campaign coordinated by a group of mercenary hackers.
Zero-day was also exploited in attacks targeting SonicWall’s internal systems in January and was then indiscriminately abused in the wild.
The FiveHands ransomware implemented in the UNC2447 attacks was first observed in the wild during October 2020.
It is also very similar to the HelloKitty ransomware, both rewrites of the DeathRansom ransomware.
The first was used to encrypt the systems of the video game development studio CD Projekt Red. [1, 2], and the attackers later claimed to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3.
This ransomware operation has also targeted other large companies around the world, including Brazilian power company CEMIG (Companhia Energética de Minas Gerais).
As Mandiant discovered, HelloKitty activity had slowly decreased as of January 2021 when the use of FiveHands in attacks began to increase.
“Based on technical and temporal observations of the HELLOKITTY and FIVEHANDS implementations, Mandiant suspects that HELLOKITTY may have been used by a general affiliate program from May 2020 to December 2020, and FIVEHANDS from approximately January 2021,” said the researchers.
In addition to their sharing feature, functionality, and coding similarities, the two malware strains were also linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat using a HelloKitty favicon.
Bleeping Computer reported today about the Whistler resort township being affected by a new ransomware operation using a very similar Tor site, but it is unclear if there is any link to the FiveHands ransomware operation.
FiveHands also has additional functionality as, unlike HelloKitty and DeathRansom, you can also “use Windows Restart Manager to close a file currently in use so that it can be properly unlocked and encrypted.”
It is further differentiated by the use of different built-in encryption libraries, a memory-only eyedropper, and asynchronous I / O requests, which are not present in the other two ransomware strains in its family.
The Ragnar Locker ransomware was also implemented by UNC2447 affiliates
“UNC2447 monetizes intrusions by extorting its victims first with the FIVEHANDS ransomware and then aggressively applying pressure through media attention threats and offering victim data for sale on hacker forums.” Mandiant added in a report released today.
“UNC2447 has been observed to target organizations in Europe and North America and has consistently shown advanced capabilities to evade detection and minimize post-intrusion forensic analysis.”
Mandiant says that UNC2447 affiliates have also been observed to implement Ragnar Locker ransomware activity in previous attacks.
In March, Mandiant analysts discovered three other zero-day vulnerabilities in hosted email security (ES) products and on SonicWall facilities.
These zero days were also actively exploited by another group tracked as UNC2682 for backdoor systems using BEHINDER web shells to move laterally through victims’ networks and gain access to emails and files.