Ransomware hackers infect thousands of SonicWall VPN implementations

Cybersecurity experts reported that operators of a new variant of ransomware identified as FiveHands managed to exploit a zero-day flaw in SonicWall SMA 100 Series VPN solutions to compromise the networks of different organizations in the United States and Europe. Hackers reportedly abused a flaw tracked as CVE-2021-20016 to inject ransomware payloads and complete the infection.

Before implementing ransomware payloads, this hacking group identified as UNC2447 used CobaltStrike implants pays to gain persistence on the target system and install the SombRAT backdoor, detected a few months ago in the hacking campaign identified as CostaRicto.

The report mentions that this variant of ransomware was first detected in the wild in late 2020, drawing the attention of the cybersecurity community due to its similarities to the HelloKitty ransomware, a restructuring of the DeathRansom malware.

The HelloKitty ransomware was detected in multiple attacks against the systems of the CD video game studio Projekt Red, which allowed threat actors to access the source code of titles such as Cyberpunk 2077, The Witcher and Gwent, among others. Many other companies around the world have fallen victim to this variant of ransomware, including Brazilian power company CEMIG. However, reports related to HelloKitty infections declined sharply in early 2021, just as FiveHands reports began.

Subsequently, the researchers discovered that FiveHands’ Tor website uses HelloKitty’s favicon.

It was also recently reported that whistler municipality was affected by a hacking group using a really similar website in Tor, although it is not yet clear whether this incident is linked to the FiveHands ransomware.

About the hacking group, experts mention that UNC2447 monetizes intrusions by extorting its victims first with the FiveHands ransomware and then pressing through media attention threats and offering victim data for sale on hacking forums. Moreover, UNC2447 has been particularly active in Europe and the United States, showing its advanced capabilities to evade almost any detection mechanism and minimize the ability of researchers to obtain information from forensic analysis.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.