Threat Signal Report

FiveHands Ransomware - New Malware Analysis Report from CISA


The United States Cybersecurity and Infrastructure Security Agency (CISA) published a malware analysis report (MAR) on the FiveHands Ransomware. Included in this report is a technical analysis of 18 files associated with the FiveHands ransomware and SombRAT remote access trojan (RAT). The FiveHands ransomware is attributed to the APT group UNC2447. UNC2447 is not attributed to any known nation state or APT group at this time. UNC2447 has been linked to previous attacks on security vendor SonicWall in the past.

What are the Technical Details?

Contained within the report are malware and artifacts used by UNC2447 during their campaigns. Observations detailed includes the usage of the SoftPerfect Network Scanner, which allows for the retrieval of practically any information about network devices via ping, port scans, and shared folder discovery. Results are then exported to an XML file for later retrieval.

Another observed artifact was an XML file that contained scanning results for network connected devices, including hostnames and a search of open remote desktop protocol (RDP) ports. Other related artifacts to SoftPerfect include the remnants of a license key used to activate the software.

Another artifact is an executable file that is executed using PSexec. It allows the program to be loaded into memory and once decoded, executes a payload. This payload is the ransomware component of the FiveHands ransomware. It will then look for files and folders with the following file extensions and encrypt the files it finds:

.txt, .chm, .dat, .ocx, .js, .tlb, .vbs, .sys, .lnk, .xml, .jpg, .log, .zip, .htm, .ini, .gif, .html, .css, and others.

The malware then uses Windows Management Instrumentation (WMI) to locate Volume Shadow copies and delete them.

SombRAT is another artifact observed that is a 64-bit variant of itself when decoded. The loader primarily gives the operator the capability to load and upload plugins onto a victim machine. Given this extensibility, SombRAT can be custom designed by the attacker with further functionality.

Other artifacts contained with the report are various PowerShell and Powersploit scripts used by FiveHands to further the attack along and, when decoded, load various payloads into memory or on to the hard disk. Configuration files were observed as well that allowed the malware to load predetermined domains and DNS entries. Network files, password stores, network routers, and proxy servers were observed to be targeted as well for credential harvesting and access.

The ransomware note contains a message displayed to targeted victims. Contained within is the usual informational text file that provides details on what is ransomware, what happened, instructions on what not to do, and contact information (such as an email address). It also includes a sinister notice that states that if demands are not met, the "source codes" will be sold in auction "in 5 hands" [sic]. Lastly, the victim is instructed that they can get more information by opening a predefined TOR URL that obfuscates the attacker's location and identity.

What Operating Systems Are Affected?

Windows based operating systems.

How Serious of an Issue is This?

MEDIUM/HIGH. This is rated MEDIUM/HIGH as we have not seen other instances of this ransomware elsewhere and the spread appears to be restricted to a specific region for the time being. This rating will be revised if we observe further occurrences of FiveHands in the wild.

How Widespread is this Attack?

Low. At this time, it appears to be confined to targeted attacks

Is there Any Identified Nation State Activity or Attribution?


Should Victims Pay the Ransom?

FortiGuard Labs cannot provide any guidance here. It is up to each organization to determine their risk. Factors in that decision include determining the potential for loss due to downtime and reputation, along with whether or not an organization has cybersecurity insurance coverage to help mitigate such potential losses.

What is the status of Protections?

FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:







For FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if executed on customer systems.

Any Other Suggested Mitigation?

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.