The CISA has published a report on the FiveHands ransomware deployed by an aggressively financially motivated group - UNC2447. The campaign involved extortion incidents between January and February.
About the alert
The alert details the gang’s methods and provides mitigation tips. The threat actor leveraged publicly available pentesting and exploitation tools, SombRAT, and FiveHands to obfuscate files, steal information, and demand ransom from the victim. In addition to this, the gang used publicly available tools for credential access and network discovery.
A series of attacks
- UNC2447 has primarily targeted small and medium enterprises in telecom, construction, healthcare, food and beverage, engineering, real estate, and education sectors.
- The group exploited a zero-day flaw (CVE-2021-20016) in SonicWall’s SMA 100 Series appliance.
CISA findings
- The threat actor used various features of the SoftPerfect Network Scanner to find out hostnames and network services.
- The ransomware implements the SombRAT trojan by leveraging batch and text files.
- C&C communication was encrypted via AES, thus making FiveHands effective by enabling the threat actors to download executable DLL plug-ins through a protected SSL session.
About UNC2447
- UNC2447 monetizes its intrusions by extorting victims using FiveHands ransomware. It, subsequently, pressurizes them by threatening of selling data to hacker forums.
- It has mainly targeted European and North American organizations and is renowned for its detection evasion capabilities.
- UNC2447 affiliated hackers have also been spotted deploying the Ragnar Locker ransomware.
The bottom line
The CISA has offered a long list of mitigation measures to protect against FiveHands and other ransomware, which can be found here. With the undeniable success of ransomware operators since last year, the cybercriminal market has expanded to fit more attacks and attackers in its portfolio. Hence, organizations are recommended to stay safe and implement defenses.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2c7a_shutterstock_422616931.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7d44_shutterstock_1508385932.jpg)
