FIVEHANDS

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.^[1]^[2]

ID: S0618

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 04 June 2021

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1047		Windows管理规范	FIVEHANDS can use WMI to delete files on a target machine.^[1]^[3]
Enterprise	T1140		反混淆/解码文件或信息	FIVEHANDS has the ability to decrypt its payload prior to execution.^[1]^[3]^[2]
Enterprise	T1059		命令与脚本解释器	FIVEHANDS can receive a command line argument to limit file encryption to specified directories.^[1]^[2]
Enterprise	T1486		数据加密以实现影响	FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.^[1]^[3]^[2]
Enterprise	T1083		文件和目录发现	FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.^[3]^[2]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	The FIVEHANDS payload is encrypted with AES-128.^[1]^[3]^[2]
Enterprise	T1490		系统恢复抑制	FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.^[1]^[3]
Enterprise	T1135		网络共享发现	FIVEHANDS can enumerate network shares and mounted drives on a network.^[2]

References

McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.

CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

FIVEHANDS

Enterprise Layer

Techniques Used

References