The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory regarding a new ransomware variant that is employed in attacks on a number of industry sectors, such as medical care.
To date, the threat group associated with the attacks has primarily targeted small- to medium-sized organizations, as per FireEye’s researchers who’ve been monitoring the activity of the attack group. It is presently uncertain if this is the doing of a cybercriminal group or a nation state-supported hacking group. FireEye is following the threat group as UNC2447.
The threat group was initially discovered doing FiveHands ransomware attacks from January to February, mainly on organizations in healthcare, telecommunications, engineering, construction, food and beverage, real estate and education. The group is exploiting CVE-2021-20016, an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance, to obtain access to company networks and is utilizing various publicly accessible penetration and exploitation tools in the attacks.
FiveHands is a novel ransomware variant that employs public-key encryption named NTRUEncrypt. This makes certain files encrypted can’t be decrypted without making ransom payment. Windows Volume Shadow copies are likewise erased to hinder any efforts to bring back information without having to pay the ransom. Like with the majority of other ransomware variants, sensitive information is found and exfiltrated before file encryption and victims are forced into paying out the ransom demand by using the threat of the exposure of the public exposure or selling of stolen information.
As soon as the attackers acquire access to a system, they employ SoftPerfect Network Scanner for Discovery and netscan.exe to locate hostnames and network solutions. The attackers employ PsExec for running programs, which include the Microsoft Sysinternals remote administration tool Servemanager.exe, together with other freely available pen-testing tools like routerscan.exe, grabff.exe for taking out saved Firefox passwords and authentication information, and rclone.exe and s3browser-9-5-3.exe for adding and getting files. The SombRAT Trojan is additionally employed in attacks like a loader for performing batch and text files.
FiveHands ransomware can avert security solutions by means of the PowerShell and can easily download more malicious payloads. The communications used by the C2 server are via Secure Sockets Layer tunnel. They are typically AES encrypted, and permit the threat group to download DLL plug-ins through the protected SSL session. CISA accounts that the FiveHands malware alone just gives the framework, the functionality is included via the DLL plugins which gather and exfiltrate system data for instance username, computer name, operating processes, operating system edition, local system time, and other crucial information.
CISA has provided a number of mitigations that may be used to reinforce security and obstruct FiveHands ransomware attacks. Companies that utilize the SonicWall SMA 100 Series VPN appliance must make sure to use the fix for the CVE-2021-20016 vulnerability. SonicWall dealt with the vulnerability last February.
The following are a few more suggestions:
- Keep antivirus signatures and engines updated.
- Limiting users’ permissions to install and use software programs.
- Turning off file and printer sharing options.
- Employing multi-factor authentication (MFA), particularly on VPN connections
- Decommissioning VPN servers that are untouched
- Exercising care whenever clicking open email attachments
- Permitting personal firewalls on company workstations
- Turn off needless services on organization servers and workstations.
- Tracking network traffic for sudden and unapproved protocols, specifically outbound to the web (e.g., SMB, RDP, SSH).
- Checking users’ internet browsing practices