A financially motivated menace actor exploited a zero-day bug in Sonicwall SMA 100 Collection VPN home equipment to deploy new ransomware referred to as FiveHands on the networks of North American and European targets.
The group, tracked by Mandiant menace analysts as UNC2447, exploited the CVE-2021-20016 Sonicwall vulnerability to breach networks and deploy FiveHands ransomware payloads earlier than patches had been launched in late February 2021.
Previous to deploying the ransomware payloads, UNC2447 was additionally noticed utilizing Cobalt Strike implants for gaining persistence and putting in a SombRAT backdoor variant, a malware first noticed within the CostaRicto campaign coordinated by a gaggle of mercenary hackers.
The FiveHands ransomware deployed in UNC2447 assaults was first noticed within the wild throughout October 2020.
The previous was used to encrypt the methods of online game growth studio CD Projekt Pink [1, 2], with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased model of Witcher 3.
This ransomware operation has additionally focused different giant corporations worldwide, together with Brazilian power company CEMIG (Companhia Energética de Minas Gerais).
As found by Mandiant, HelloKitty exercise had slowly dwindled beginning with January 2021 when FiveHands utilization in assaults started to select up.
“Primarily based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY might have been utilized by an general associates program from Could 2020 by way of December 2020, and FIVEHANDS since roughly January 2021,” the researchers stated.
In addition to their sharing characteristic, performance, and coding similarities, the 2 malware strains had been additionally linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat utilizing a HelloKitty favicon.
BleepingComputer reported earlier in the present day on Whistler resort municipality being hit by a brand new ransomware operation utilizing a really related Tor website, but it surely’s not clear if there are any hyperlinks to the FiveHands ransomware operation.
FiveHands additionally has further performance since, in contrast to HelloKitty and DeathRansom, it might probably additionally “use the Home windows Restart Supervisor to shut a file at present in use in order that it may be unlocked and efficiently encrypted.”
It additional differs by utilizing totally different embedded encryption libraries, a memory-only dropper, and asynchronous I/O requests, not current within the two different ransomware strains in its household.
Ragnar Locker ransomware additionally deployed by UNC2447 associates
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware adopted by aggressively making use of stress by way of threats of media consideration and providing sufferer information on the market on hacker boards,” Mandiant added in a report published today.
“UNC2447 has been noticed concentrating on organizations in Europe and North America and has constantly displayed superior capabilities to evade detection and decrease post-intrusion forensics.”
Mandiant says that UNC2447 associates have additionally been noticed deploying Ragnar Locker ransomware exercise in earlier assaults.
In March, Mandiant analysts found three more zero-day vulnerabilities in SonicWall’s on-premises and hosted E mail Safety (ES) merchandise.
These zero-days had been additionally actively exploited by one other group tracked as UNC2682 to backdoor methods utilizing BEHINDER internet shells to maneuver laterally by way of the victims’ networks and acquire entry to emails and information.