Threat actors exploited a zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets.
The group, tracked by Mandiant threat analysts as UNC2447, exploited the CVE-2021-20016 SonicWall vulnerability to breach networks and deploy FiveHands ransomware payloads before patches were released in late February 2021.
UNC2447 was also observed using Cobalt Strike implants for gaining persistence and installing a Microsoft Power Toys now requires Windows 10 1903 and later
SombRAT backdoor variant
The FiveHands ransomware deployed in UNC2447 attacks was first observed in the wild during October 2020. It is also very similar to HelloKitty ransomware, both of them rewrites of DeathRansom ransomware.
The former was used to encrypt the systems of video game development studio CD Projekt Red, with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3.
As discovered by Mandiant, HelloKitty activity had slowly dwindled starting with January 2021 when FiveHands usage in attacks began to pick up.
Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program
Besides their sharing feature, functionality, and coding similarities, the two malware strains were also linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat using a HelloKitty favicon.
FiveHands also has extra functionality since, unlike HelloKitty and DeathRansom, it can also “use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted.”
It further differs by using different embedded encryption libraries, a memory-only dropper, and asynchronous I/O requests, not present in the two other ransomware strains in its family.