This report is an overview of the FiveHands Ransomware variant that successfully attacked an organization (CISA release date May 6, 2021). CISA reports that the variant used publicly-available pen test and exploitation tools—plus FiveHands ransomware and SombRAT remote access trojan (RAT)—to steal information, obfuscate files, accomplish network discovery, accomplish credential access, and demand ransom from the victim.
Tools used include SoftPerfect Network Scanner, FiveHands ransomware, PsExec.exe, ServeManager.exe, SombRAT, RouterScan.exe, grabff.exe, rclone.exe, and s3browser-9-5-3.exe.
The initial access vector was a zero-day vulnerability in a VPN product. What followed is that the bad actor used SoftPerfect Network Scanner for the discovery of hostnames and network services. PsExec was then used to execute ServeManager.exe (what CISA calls FiveHands ransomware):
“FiveHands is a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt. Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice. To prevent data recovery, FiveHands uses WMI to first enumerate then delete Volume Shadow copies (Inhibit System Recovery [T1490]; Windows Management Instrumentation [T1047]). The malware also encrypts files in the recovery folder (Data Encrypted for Impact [T1486]). After the files are encrypted, the program will write a ransom note to each folder and directory on the system.” (https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a)
MITRE also points to PowerSploit—an offensive, open-source security framework combining PowerShell modules and scripts to perform tasks related to pen-testing (e.g., RCE, persistence, bypassing AV, recon, and exfiltration). Techniques that may be used include—but are not limited to—Access Token Manipulation, Boot or Logon Autostart, Command and Scripting Interpreter (PowerShell), Domain Trust Discovery, Process Discovery, Screen Capture, and Kerberoasting (for the full list, refer to the MITRE Mapping link in the Sources section below).
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.