CISA Alert Describes FiveHands Ransomware ThreatAgency Offers In-Depth Analysis, Risk Mitigation Advice
The Cybersecurity and Infrastructure Security Agency has issued an alert providing more details on the threat posed by FiveHands ransomware attacks.
The CISA alert, which follows one issued last week by FireEye's Mandiant research team, describes the ransomware gang's methods and offers risk mitigation tips.
"Threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware and the SombRAT remote access Trojan, to steal information, obfuscate files and demand a ransom from the victim organization," CISA says. "Additionally, the threat actors used publicly available tools for network discovery and credential access."
Series of Attacks
FireEye said it observed an attack group using FiveHands in extortion incidents during January and February. The group has mainly targeted small and midsized businesses in telecommunications, healthcare, construction, engineering, food and beverage, education, real estate and other sectors, the security firm says.
FireEye named the malicious group involved UNC2447; CISA offers no attribution of who is behind the attacks.
The attackers exploited a zero-day vulnerability in a VPN, SonicWall's SMA 100 Series appliance, FireEye says. The flaw is tracked as CVE-2021-20016.
CISA's FiveHands Findings
The government researchers spotted various artifacts in a postmortem conducted on one attack, enabling them to build a more detailed attack profile.
CISA determined the attackers used several features of the SoftPerfect Network Scanner to discover hostnames and network services. They used Netscan.exe, a stand-alone version of the SoftPerfect Network Scanner, version 7.2.9 for 64-bit operating systems. Netscan.exe can ping computers, scan ports and discover shared folders using Windows Management Instrumentation, Simple Network Management Protocol, Hypertext Transfer Protocol, Secure Shell and PowerShell, according to the alert.
Netscan.exe also scans for remote services, registry, files and performance counters and offers flexible filtering and display options, CISA says.
The attackers also used netscan.xml to report the scan results to the SoftPerfect Network Scanner program and netscan.lic, which is the license needed to unlock all of the tools used by the program.
Other tools the attackers used include: the open-source tool routerscan.exe, which identifies network routers and proxy servers on a network; grabff.exe, which uses a command line interface to extract Firefox stored passwords and authentication information from the user's profile; the cloud management tool rclone.exe, which can upload and download files and provide encryption; and s3browser-9-5-3.exe, another data uploader.
FiveHands and SombRAT
CISA describes FiveHands as a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt, which helps ensure the data cannot be decrypted.
The ransomware also uses PsExec, a free Microsoft tool that IT administrators and attackers use to execute a program on another computer. Plus, it uses ServeManager.exe, an executable file activated using the Microsoft Sysinternals remote administration tool, to load an embedded module and execute the encrypter.
FiveHands executes the SombRAT Trojan using batch and text files. And the ransomware uses PowerShell to bypass any anti-malware programs and download additional malicious payloads.
Describing one FiveHands incident, CISA says: "The SombRAT loader recovered ... was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries plugins on the affected system. The loader used hardcoded public RSA keys for command and control sessions. The C2 communications were encrypted using Advanced Encryption Standard, resulting in a Secure Sockets Layer tunnel with the threat actors."
Encrypted communication with the command-and-control server is key to making FiveHands effective because it allows the operators to download executable DLL plug-ins through a protected SSL session, CISA says. The malware itself only provides a framework, while the plug-ins deliver the functionality to collect system data, such as computer name, username, current process, operating system version and local system time, the agency adds.
Risk Mitigation Advice
CISA offers a long list of recommendations to protect against FiveHands and other types of ransomware. Among those tips are:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up to date.
- Restrict users' ability to install and run unwanted software applications.
- Decommission unused VPN servers, which may act as a point of entry for attackers.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet.
Earlier this week, Secretary of Homeland Security Alejandro Mayorkas warned that 50% to 75% of all ransomware attacks in the last year have targeted small and midsized businesses (see: DHS Secretary: Small Businesses Hard-Hit by Ransomware).