Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CISA Analyzes FiveHands Ransomware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the FiveHands ransomware, roughly one week after FireEye’s Mandiant security researchers reported seeing the malware in recent attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the FiveHands ransomware, roughly one week after FireEye’s Mandiant security researchers reported seeing the malware in recent attacks.

Written in C++, the FiveHands ransomware appears to be the successor of DeathRansom, based on code similarities between the two. However, both families also show a connection to the HelloKitty ransomware.

The malware is employed by a financially motivated threat actor known as UNC2447, which has been actively targeting various organizations in Europe and North America, and which has shown advanced capabilities.

This week, CISA revealed that it received a total of 18 malicious files associated with a FiveHands attack, including eight open-source penetration testing and exploitation tools, the ransomware itself, and nine files associated with the SombRAT remote access Trojan (RAT).

As part of the attack, which managed to successfully compromise an organization, the adversary leveraged those legitimate and malicious tools to steal data, encrypt files, and demand a ransom payment from the victim organization.

A security flaw in a virtual private network (VPN) product was exploited as the initial attack vector, with publicly available tools then used for network discovery and the ransomware executed at a later stage of the attack.

FiveHands, CISA notes, uses a public key encryption scheme called NTRUEncrypt, and enumerates then erases Volume Shadow copies to prevent data recovery. As part of the attack, SombRAT was also deployed, to facilitate the download and execution of additional malicious payloads.

In its malware analysis report (MAR) and accompanying analysis report (AR), CISA provides not only detailed technical information on the malware itself, but also recommendations on how organizations can mitigate similar attacks.

Advertisement. Scroll to continue reading.

Last week, the Institute for Security and Technology (IST) published a set of 48 recommendations to combat ransomware, roughly two months after the National Cyber Investigative Joint Task Force (NCIJTF) published a joint-sealed ransomware factsheet that contains information on attack techniques and prevention methods.

Related: CISA Details Malware Found on Hacked Exchange Servers

Related: FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK

Related: US Takes New Aim at Ransomware After Most Costly Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.