Vulnerabilities in SonicWall VPN Appliances Targeted in FiveHands Ransomware Attacks

A vulnerability in Sonicwall SMA 100 Series VPN appliances is being targeted to deliver a previously unknown ransomware variant dubbed FiveHands.  Threat analysts at Mandiant have been tracking the activity of the threat group – UNC2447 – and have observed attacks exploiting the CVE-2021-20016 vulnerability in North America and Europe since October 2020. Sonicwall released a patch to correct the flaw in February 2021.

FiveHands ransomware is a variant of DeathRansom ransomware, with the latter first emerging in November 2019. The new ransomware variant appears to replace HelloKitty ransomware, which has largely stopped being used in attacks since January 2021.  HelloKitty was used in the cyberattack on CD Projekt RED that delayed the release of Cyberpunk 2077.

Mandiant’s analysis revealed the two ransomware variants share a considerable amount of code, features, and functionality, with both ransomware variants also linked on Tor. In contrast to HelloKitty, FiveHands can manipulate current files through Windows Restart Manager to allow them to be encrypted. The ransomware uses symmetric AES128-bit encryption, rather than the AES 256-bit encryption used by the HelloKitty and DeathRansom ransomware variants, with FiveHands ransomware using a memory-only dropper.

UNC2447 is a relatively recently discovered threat group that Mandiant named in November 2020. The group has advanced capabilities has been successful in evading detection and hampering post-intrusion forensics. Mandiant has observed affiliates of the group using RagnarLocker ransomware in attacks in the past, and suspects affiliates have been using HelloKitty ransomware in attacks from May 2020 to December 2020. FiveHands ransomware attacks were first observed in January 2021. One of the most recent attacks is believed to be on the Whistler resort, according to Bleeping Computer.

Prior to deploying the ransomware, the group is known to deploy Cobalt Strike and a variant of the SombRAT backdoor. The group exfiltrates data prior to file encryption and aggressively pressures victims with threats of negative media attention and the sale of the stolen data on hacking forums.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of