FIVEHANDS

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.^[1]^[2]

ID: S0618

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 04 June 2021

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059		Command and Scripting Interpreter	FIVEHANDS can receive a command line argument to limit file encryption to specified directories.^[1]^[2]
Enterprise	T1486		Data Encrypted for Impact	FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.^[1]^[3]^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	FIVEHANDS has the ability to decrypt its payload prior to execution.^[1]^[3]^[2]
Enterprise	T1083		File and Directory Discovery	FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.^[3]^[2]
Enterprise	T1490		Inhibit System Recovery	FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.^[1]^[3]
Enterprise	T1135		Network Share Discovery	FIVEHANDS can enumerate network shares and mounted drives on a network.^[2]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	The FIVEHANDS payload is encrypted with AES-128.^[1]^[3]^[2]
Enterprise	T1047		Windows Management Instrumentation	FIVEHANDS can use WMI to delete files on a target machine.^[1]^[3]

References

McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.

CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

FIVEHANDS

Enterprise Layer

Techniques Used

References