Go to listing page

UNC2447 Exploiting SonicWall Zero-day to Breach Networks

UNC2447 Exploiting SonicWall Zero-day to Breach Networks
A new ransomware group has been discovered that exploits a zero-day bug in Sonicwall SMA 100 Series VPN appliances. The ransomware group, identified as UNC2447, deploys the FiveHands ransomware on targeted networks of organizations located in North America and Europe.

What has happened?

According to Mandiant threat analysts, the UNC2447 group exploited the CVE-2021-20016 Sonicwall vulnerability to target networks and deploy FiveHands ransomware payloads before patches were released in February.
  • Before deploying the ransomware payloads, the group uses Cobalt Strike implants to gain persistence and install a variant of SombRAT, a backdoor first discovered in the CostaRicto campaign.
  • The zero-day vulnerability was exploited in attacks aimed at SonicWall's internal systems in January. 
  • The deployment of FiveHands ransomware was first observed in October 2020. It is very similar to HelloKitty in features, functionality, and coding, both of them being rewritten versions of DeathRansom ransomware. The HelloKitty activity slowed down in January when the FiveHands activity started.
  • Mandiant further identified that a FiveHands ransomware Tor chat was using a HelloKitty favicon.

UNC2447 attack methods

UNC2447 monetizes its intrusions by extorting victims with FiveHands ransomware. It then applies pressure by threatening the victims of media attention and putting victim’s stolen data for sale on hacker forums.
  • In addition, UNC2447 affiliates have been discovered to be deploying Ragnar Locker ransomware in previous attacks.
  • Moreover, the threat group is known for using Warprism (PowerShell dropper), Foxgrabber (command-line utility to harvest credentials), Cobalt Strike Beacon HTTPSSTAGER, UNC2447 Toolbox, and SombRAT.
  • UNC2447 was found targeting organizations in Europe and North America.
  • It has gradually picked up advanced capabilities to evade detection and stay protected from post-intrusion forensics.


SombRAT and FiveHands ransomware have been in use by the UNC2447 group since January. Furthermore, there are similarities between HelloKitty and FiveHand, however, there could be a possibility that two different ransomware groups are operating via underground affiliate programs. Security professionals are required to monitor and track these threats regularly to avoid any surprises.

Cyware Publisher