UNC2447, a new group tracked by Mandiant threat analysts, breached SonicWall SMA 100 Series VPN appliances exploiting a zero-day vulnerability. The attackers successfully deployed FiveHands ransomware before patches were released in late February 2021. The flaw is tracked as CVE-2021-20016.
Mandiant says previously, UNC2447 installed a SombRAT backdoor variant, first spotted in the CostaRicto campaign, and used Cobalt Strike implants for persistence. The present zero-day has been exploited in attacks in January and later as well. While the FiveHands ransomware deployed by UNC2447 was first spotted in the wild in October 2020. Researchers note its similarity to HelloKitty ransomware, which recently caused a breach at video game development studio CD Projekt Red, both of the malware strains are derivatives of DeathRansom ransomware.
Mandiant also notes the ebbs and tides of HelloKitty and FiveHands activity suggest one same operator:
“Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021,” the researchers said in a report published today.
Besides their sharing feature, functionality, and coding similarities, there is more evidence the two malware strains are related. Mandiant earlier this month observed a HelloKitty favicon in FiveHands ransomware Tor chat.
However, researchers note that FiveHands differ from HelloKitty and DeathRansom by functionality, as it can “use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted.”
It is also different in that fact that it uses a memory-only dropper, different embedded encryption libraries, and asynchronous I/O requests, not used by the other two ransomware strains.
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” Mandiant added.
“UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.”
Finally, Mandiant noted that UNC2447 operators deployed Ragnar Locker ransomware in previous attacks.