FiveHands Ransomware Overview

Overview of the FiveHands Ransomware Variant

This report is an overview of the FiveHands Ransomware variant that successfully attacked an organization (CISA release date May 6, 2021). CISA reports that the variant used publicly-available pen test and exploitation tools—plus FiveHands ransomware and SombRAT remote access trojan (RAT)—to steal information, obfuscate files, accomplish network discovery, accomplish credential access, and demand ransom from the victim.

Tools used include SoftPerfect Network Scanner, FiveHands ransomware, PsExec.exe, ServeManager.exe, SombRAT, RouterScan.exe, grabff.exe, rclone.exe, and s3browser-9-5-3.exe.

Tactics, Techniques, and Procedures

The initial access vector was a zero-day vulnerability in a VPN product. What followed is that the bad actor used SoftPerfect Network Scanner for the discovery of hostnames and network services. PsExec was then used to execute ServeManager.exe (what CISA calls FiveHands ransomware):

“FiveHands is a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt. Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice. To prevent data recovery, FiveHands uses WMI to first enumerate then delete Volume Shadow copies (Inhibit System Recovery [T1490]; Windows Management Instrumentation [T1047]). The malware also encrypts files in the recovery folder (Data Encrypted for Impact [T1486]). After the files are encrypted, the program will write a ransom note to each folder and directory on the system.” (https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a)

MITRE also points to PowerSploit—an offensive, open-source security framework combining PowerShell modules and scripts to perform tasks related to pen-testing (e.g., RCE, persistence, bypassing AV, recon, and exfiltration). Techniques that may be used include—but are not limited to—Access Token Manipulation, Boot or Logon Autostart, Command and Scripting Interpreter (PowerShell), Domain Trust Discovery, Process Discovery, Screen Capture, and Kerberoasting (for the full list, refer to the MITRE Mapping link in the Sources section below).

FiveHands Ransomware Business Unit Impact

• Ransomware has short- and long-term costs: the ransom itself; legal advice & representation; incident response & recovery; unforeseen business closure; and reputation.
• Ransomware affects not only targeted enterprises and their c-suites; clients and third-party vendors may become indirect victims.

Our Recommendations

• Follow implementations and security measures advised and required by appropriate compliance rules.
• Ensure backup and recovery strategies are routinely scheduled.
• Whenever possible, solicit the advice and representation of legal counsel prior to an event; this may be the first call in a ransom situation.
• Ensure AV software and associated files and signatures are up to date.
• Keep operating systems up to date.
• Decommission unused VPN servers.
• Implement MFA, particularly on VPN connections, external-facing servers, and privileged accounts.
• Update and implement employee training, specifically for email and web browsing.
• Be extremely cautious with email attachments and links; scan for and remove suspicious email attachments.
• Search for and remediate existing IoCs in the environment.
• Disable file and printer sharing services; if such services are required, use strong passwords or AD authentication.
• If you are a victim of ransomware, use the Ransomware Response Checklist (located in CISA’s Joint Ransomware Guide—refer to the Sources section below).
• Security personnel and analysts should report signs of pen testing to verify legitimacy.

Sources

• https://exchange.xforce.ibmcloud.com/threats/guid:51282e7af9418f9a1c52187aee8d6fe8

Supporting Documentation

• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b
• https://www.cisa.gov/publication/ransomware-guide

MITRE Mapping(s)

• https://attack.mitre.org/software/S0194/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.