Skip to content


FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.12

Item Value
ID S0618
Associated Names
Version 1.0
Created 04 June 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter FIVEHANDS can receive a command line argument to limit file encryption to specified directories.12
enterprise T1486 Data Encrypted for Impact FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.132
enterprise T1140 Deobfuscate/Decode Files or Information FIVEHANDS has the ability to decrypt its payload prior to execution.132
enterprise T1083 File and Directory Discovery FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.32
enterprise T1490 Inhibit System Recovery FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.13
enterprise T1135 Network Share Discovery FIVEHANDS can enumerate network shares and mounted drives on a network.2
enterprise T1027 Obfuscated Files or Information The FIVEHANDS payload is encrypted with AES-128.132
enterprise T1047 Windows Management Instrumentation FIVEHANDS can use WMI to delete files on a target machine.13