Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

CISA Alert Describes FiveHands Ransomware Threat

Agency Offers In-Depth Analysis, Risk Mitigation Advice
CISA Alert Describes FiveHands Ransomware Threat

The Cybersecurity and Infrastructure Security Agency has issued an alert providing more details on the threat posed by FiveHands ransomware attacks.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

The CISA alert, which follows one issued last week by FireEye's Mandiant research team, describes the ransomware gang's methods and offers risk mitigation tips.

"Threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware and the SombRAT remote access Trojan, to steal information, obfuscate files and demand a ransom from the victim organization," CISA says. "Additionally, the threat actors used publicly available tools for network discovery and credential access."

Series of Attacks

FireEye said it observed an attack group using FiveHands in extortion incidents during January and February. The group has mainly targeted small and midsized businesses in telecommunications, healthcare, construction, engineering, food and beverage, education, real estate and other sectors, the security firm says.

FireEye named the malicious group involved UNC2447; CISA offers no attribution of who is behind the attacks.

The attackers exploited a zero-day vulnerability in a VPN, SonicWall's SMA 100 Series appliance, FireEye says. The flaw is tracked as CVE-2021-20016.

CISA's FiveHands Findings

The government researchers spotted various artifacts in a postmortem conducted on one attack, enabling them to build a more detailed attack profile.

CISA determined the attackers used several features of the SoftPerfect Network Scanner to discover hostnames and network services. They used Netscan.exe, a stand-alone version of the SoftPerfect Network Scanner, version 7.2.9 for 64-bit operating systems. Netscan.exe can ping computers, scan ports and discover shared folders using Windows Management Instrumentation, Simple Network Management Protocol, Hypertext Transfer Protocol, Secure Shell and PowerShell, according to the alert.

Netscan.exe also scans for remote services, registry, files and performance counters and offers flexible filtering and display options, CISA says.

The attackers also used netscan.xml to report the scan results to the SoftPerfect Network Scanner program and netscan.lic, which is the license needed to unlock all of the tools used by the program.

Other tools the attackers used include: the open-source tool routerscan.exe, which identifies network routers and proxy servers on a network; grabff.exe, which uses a command line interface to extract Firefox stored passwords and authentication information from the user's profile; the cloud management tool rclone.exe, which can upload and download files and provide encryption; and s3browser-9-5-3.exe, another data uploader.

FiveHands and SombRAT

CISA describes FiveHands as a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt, which helps ensure the data cannot be decrypted.

The ransomware also uses PsExec, a free Microsoft tool that IT administrators and attackers use to execute a program on another computer. Plus, it uses ServeManager.exe, an executable file activated using the Microsoft Sysinternals remote administration tool, to load an embedded module and execute the encrypter.

FiveHands executes the SombRAT Trojan using batch and text files. And the ransomware uses PowerShell to bypass any anti-malware programs and download additional malicious payloads.

Describing one FiveHands incident, CISA says: "The SombRAT loader recovered ... was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries plugins on the affected system. The loader used hardcoded public RSA keys for command and control sessions. The C2 communications were encrypted using Advanced Encryption Standard, resulting in a Secure Sockets Layer tunnel with the threat actors."

Encrypted communication with the command-and-control server is key to making FiveHands effective because it allows the operators to download executable DLL plug-ins through a protected SSL session, CISA says. The malware itself only provides a framework, while the plug-ins deliver the functionality to collect system data, such as computer name, username, current process, operating system version and local system time, the agency adds.

Risk Mitigation Advice

CISA offers a long list of recommendations to protect against FiveHands and other types of ransomware. Among those tips are:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up to date.
  • Restrict users' ability to install and run unwanted software applications.
  • Decommission unused VPN servers, which may act as a point of entry for attackers.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet.

Earlier this week, Secretary of Homeland Security Alejandro Mayorkas warned that 50% to 75% of all ransomware attacks in the last year have targeted small and midsized businesses (see: DHS Secretary: Small Businesses Hard-Hit by Ransomware).


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.