New ransomware: CISA warns over FiveHands file-encrypting malware variant

New malware has already been used in a cyberattack against one organisation.

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned organizations to be cautious of a relatively new ransomware variant called FiveHands. 

FiveHands ransomware has been around since January 2021, but CISA said it was "aware of a recent, successful cyberattack against an organization" using this strain of file-encrypting malware.

The group using FiveHands employs the same tactics as the DarkSide ransomware group that is holding Colonial Pipeline to ransom, in that the group not only encrypts a target's data but steals some of it and threatens to leak it online unless the attacker's payment demands are met.

SEE: Security Awareness and Training policy (TechRepublic Premium)

FireEye's incident response arm Mandiant, which tracks the FiveHands group as UNC2447, detected the group exploiting a zero day flaw in the SonicWall VPN (CVE-2021-20016), according to an April report.  

Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February.  

The publicly available tools the group uses include the SoftPerfect Network Scanner for Discovery and Microsoft's own remote administration program, PsExec.exe, and its related ServeManager.exe. 

"To thwart the recovery of the data, the ransomware uses Windows Management Instrumentation (WMI) to enumerate Volume Shadow copies using the command select * from Win32_ShadowCopy and then deletes copies by ID (Win32_ShadowCopy.ID)," CISA notes in its Analysis Report (AR21-126A). 

"The malware will also encrypt files in the recovery folder at C:\Recovery. After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt."

The SombRAT component allows the attackers to remotely download and execute malicious DLLs (software plugins) on the target network. It also serves as the main component of the attacker's command and control infrastructure. 

"The RAT provides most of its C2 capabilities to the remote operator by allowing the remote operator to securely transfer executable DLL plugins to the target system—via a protected SSL session—and load these plugins at will via the embedded plugin framework," CISA explains. 

"The native malware itself does not provide much actual functionality to the operator without the code provided by the plugins."

SEE: Ransomware just got very real. And it's likely to get worse

Without the plugins, the RAT otherwise can collect system data, such as the computer's name, the user's name, current process, operation system version, and the current process it's masquerading as. 

Some key recommendations CISA offers are to update antivirus signatures and ensure the OS is updated with the latest patches. It also recommends disabling file and printer sharing services, implementing least privileges, and enabling multi-factor authentication on all VPN connections, external-facing services, and privileged accounts. Also, organizations should decommission unused VPN services and monitor network traffic for unapproved protocols, especially those used for outbound connections to the internet, such as SSH, SMB and RDP. 

Separately, CISA today issued the same advice for organizations and critical infrastructures in the wake of the Colonial Pipeline ransomware attack.