Ransomware group UNC2447 used an SQL injection bug to attack US and European orgs
30 Apr 2021
Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.
Related Resource
Everything you need to know to keep your company afloat
According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.
Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.
30 April 2021, 01:04 am
A strand of new ransomware is discovered to be deployed to attack SonicWall SMA 100 Series VPN appliances. The experts called it FiveHands which has a wide range of targets across Europe and North America.
According to the Mandiant security analysts, the group behind the attack is the UNC2447, which is an expert in starting data and network breaches in the system.
They also said that it is the group responsible for the deployment of FiveHands ransomware. It happened before the launch of the patches later in February.
Group s Operation Targets SonicWall
(Photo : Markus Spiske from Pexels)
UNC2447 is not new to certain exploitations of systems. Before they spread ransomware payloads, the group was spotted to be on the lookout for more deployments upon having full control of Cobalt Strike implants.
Share
Researchers observed a new ransomware variant, called FiveHands, being deployed by an “aggressive” financially motivated threat group in January and February.
According to a FireEye Mandiant report, the UNC2447 group exploited a critical SonicWall vulnerability (CVE-2021-20016) prior to a patch being available. The group leveraged this exploit as a foothold in order to deploy the previously-discovered SombRAT malware, as well as FiveHands.
“UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” said researchers with FireEye Mandiant.
UNC2447 (“UNC” being FireEye’s designation for unclassified threat groups) was first discovered by researchers in November, when they observed the group using a PowerShell dropper in an attempt to install malware at two unnamed companies. In January, the UNC2447 group
minute read
Share this article:
Despite being a mostly run-of-the-mill ransomware strain, Babuk Locker’s encryption mechanisms and abuse of Windows Restart Manager sets it apart.
Only a few days into the new year, one of the first new ransomware strains of 2021 has been discovered. Dubbed Babuk Locker, the ransomware appears to have successfully compromised five companies thus far, according to new research.
The research author, Chuong Dong, a computer science student at Georgia Tech, said that he first saw the ransomware mentioned in a tweet by a security researcher who goes by “Arkbird” on Twitter. He then discovered information about Babuk on RaidForums, which is a forum for sharing databases of breaches and leaks.