CISA Warns of FiveHands Ransomware Threat

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a new ransomware variant being used in attacks on a wide range of industry sectors, including healthcare.

So far, the threat group behind the attacks has mainly targeted small- to medium-sized companies, according to researchers at FireEye who have been tracking the activity of the threat group. It is currently unclear whether this is the work of a nation state-backed hacking group or a cybercriminal organization. FireEye is tracking the group as UNC2447.

The threat group was first identified conducting FiveHands ransomware attacks in January and February, mostly on businesses in healthcare, telecommunications, construction, engineering, education, real estate, and the food and beverage industries. The group has been targeting an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance – CVE-2021-20016 – to gain access to business networks and is using a variety of publicly available penetration and exploitation tools in the attacks.

FiveHands is a novel ransomware variant that utilizes public key encryption called NTRUEncrypt. This ensures files encrypted cannot be decrypted without paying the ransom. Windows Volume Shadow copies are also deleted to hamper any attempts to recover data without paying the ransom. As with most other ransomware variants, sensitive data are identified and exfiltrated prior to file encryption and victims are pressured into paying the ransom with the threat of the exposure or sale of stolen data.

Once access to a network is gained, the attackers use SoftPerfect Network Scanner for Discovery and netscan.exe to find hostnames and network services. The attackers use PsExec for executing programs, including the Microsoft Sysinternals remote administration tool Servemanager.exe, along with other publicly available pen testing tools such as routerscan.exe, grabff.exe for extracting stored Firefox passwords and authentication data, and rclone.exe and s3browser-9-5-3.exe for uploading and downloading files. The SombRAT Trojan is also utilized in attacks as a loader for executing batch and text files.

FiveHands ransomware is able to evade security solutions through the use of PowerShell and can download additional malicious payloads. Communications with the C2 server are via a Secure Sockets Layer tunnel and are AES encrypted, and allow the threat group to execute downloadable DLL plug-ins through the protected SSL session. CISA reports that the FiveHands malware itself only provides the framework, with functionality added through the DLL plugins which collect and exfiltrate system data such as operating processes, computer name, username, operating system version, local system time, and other key data.

CISA has offered several mitigations that can be implemented to strengthen security and block FiveHands ransomware attacks. Organizations that use the SonicWall SMA 100 Series VPN appliance should ensure the patch for the CVE-2021-20016 vulnerability is applied. SonicWall corrected the vulnerability in February.

Other recommendations include:

  • Maintain up-to-date antivirus signatures and engines.
  • Disabling file and printer sharing services.
  • Restricting users’ permissions to install and run software applications.
  • Implementing multi-factor authentication (MFA), especially on VPN connections
  • Decommissioning unused VPN servers
  • Monitoring network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Exercising caution when opening email attachments
  • Enabling personal firewalls on agency workstations
  • Disable unnecessary services on agency workstations and servers.
  • Monitoring users’ web browsing habits

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.