The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a notification concerning a new ransomware variant that is utilized in attacks on many industry sectors, such as medical care.
Thus far, the threat group responsible for the attacks has mostly focused on small- to medium-sized firms, as per FireEye’s researchers who have been monitoring the activity of the threat group. It is at present not clear whether this is the operation of a cybercriminal organization or a nation state-backed hacking group. FireEye is following the group as UNC2447.
The threat group was earliest found to be performing FiveHands ransomware attacks in January and February, primarily on companies in healthcare, telecom, construction, engineering, food and beverage, education and real estate. The group is taking advantage of CVE-2021-20016, an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance, to obtain access to organization networks and is employing different publicly accessible penetration and exploitation tools in the attacks.
FiveHands is a novel ransomware variant that uses public key encryption known as NTRUEncrypt. This makes sure files encrypted are impossible to decrypt without paying the ransom demand. Windows Volume Shadow copies are additionally removed to impede any initiatives to retrieve information without giving ransom payment. Just as with many other ransomware variants, sensitive information are discovered and exfiltrated previous to file encryption and victims are compelled into giving the ransom demand because of threats of the exposure or vending of stolen records.
When the attackers acquire access to a system, they use SoftPerfect Network Scanner for Discovery and netscan.exe to look for hostnames and network services. The attackers make use of PsExec for performing programs, which include the Microsoft Sysinternals remote administration tool Servemanager.exe, alongside other openly available pen testing tools like routerscan.exe, grabff.exe for getting rid of filed Firefox passwords and authentication info, and rclone.exe and s3browser-9-5-3.exe for sending and accessing files. The SombRAT Trojan is likewise used in attacks just as a loader for doing batch and text files.
FiveHands ransomware could avoid security solutions through the PowerShell and could download further malicious payloads. Connections with the C2 server are by way of a Secure Sockets Layer tunnel and are actually AES encrypted, and enable the threat group to accomplish downloadable DLL plug-ins by means of the protected SSL session. CISA states that the FiveHands malware by itself simply offers the framework, the functionality is put in by way of the DLL plugins which accumulate and exfiltrate system data for instance computer name, username, operating processes, operating system model, local system time, and other essential details.
CISA has given a few mitigations that could be applied to fortify security and prohibit FiveHands ransomware attacks. Firms that employ the SonicWall SMA 100 Series VPN appliance ought to make certain to apply the patch for the CVE-2021-20016 vulnerability. SonicWall resolved the vulnerability in February.
These are other advice:
- Update antivirus signatures and engines.
- Setting users’ permissions to install and utilize software apps.
- Deactivating file and printer sharing services.
- Using multi-factor authentication (MFA), particularly on VPN connections
- Decommissioning VPN servers that are unused
- Exercising caution if accessing email attachments
- Using personal firewalls on firm workstations
- Deactivate unneeded services on company workstations and servers.
- Checking network traffic for unusual and unapproved protocols, specifically outbound to cyberspace (e.g., SMB, SSH, RDP).
- Tracking users’ online browsing behavior