S0618 FIVEHANDS
FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.12
| Item | Value |
|---|---|
| ID | S0618 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 June 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | FIVEHANDS can receive a command line argument to limit file encryption to specified directories.12 |
| enterprise | T1486 | Data Encrypted for Impact | FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.132 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | FIVEHANDS has the ability to decrypt its payload prior to execution.132 |
| enterprise | T1083 | File and Directory Discovery | FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.32 |
| enterprise | T1490 | Inhibit System Recovery | FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.13 |
| enterprise | T1135 | Network Share Discovery | FIVEHANDS can enumerate network shares and mounted drives on a network.2 |
| enterprise | T1027 | Obfuscated Files or Information | The FIVEHANDS payload is encrypted with AES-128.132 |
| enterprise | T1047 | Windows Management Instrumentation | FIVEHANDS can use WMI to delete files on a target machine.13 |
References
-
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. ↩↩↩↩↩↩↩
-
Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021. ↩↩↩↩↩↩↩
-
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. ↩↩↩↩↩↩