Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.
RELATED RESOURCE
The business guide to ransomware
Everything you need to know to keep your company afloat
According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.
Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.
“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” the researchers said.
Researchers said FiveHands is suspected to be affiliate ransomware and the successor to another variant of DeathRansom called HelloKitty. The HelloKitty ransomware has been used to hold games firm CD Projekt Red to ransom. They added that they observed a private FiveHands Tor chat earlier this month using a Hello Kitty favicon.
The new FiveHands malware improves on HelloKitty and DeathRansom by using a memory-only dropper and encryption on more files and folders. The malware can also "use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted."
The exploit the ransomware uses is CVE-2021-20016, a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products. Researchers said this flaw allows a remote, unauthenticated attacker to submit a specially crafted query to exploit the vulnerability.
“Successful exploitation would grant an attacker the ability to access login credentials (username, password) as well as session information that could then be used to log into a vulnerable unpatched SMA 100 series appliance,” said researchers
This vulnerability only impacted the SMA 100 series and was patched by SonicWall in February 2021.
The hackers make money from intrusions by extorting their victims first with FiveHands ransomware. That is “followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” according to researchers.
"UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics."
Researchers said while similarities between HelloKitty and FiveHands are notable, different groups may use ransomware through underground affiliate programs.
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
-
Mainframes are back in vogueNews Mainframes are back in vogue, according to research from Kyndryl, with enterprises ramping up hybrid IT strategies and generative AI adoption.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
