FiveHands Ransomware Analysis: Can a Risk-Based Approach Help Prevent Future Attacks?

Did you know FiveHands Ransomware is using the same tactics as the DarkSide group?

Early this year, threat actors exploited a vulnerability (CVE-2021-20016) even before the vendor could publish it on the National Vulnerability Database (NVD) and attacked an organization and stole information. A new ransomware family, FiveHands, played a major role in the exploit.

With attackers rapidly weaponizing vulnerabilities, organizations that depend on the NVD to manage their prioritization and patching cadence are likely to be adversely affected.

The FiveHands ransomware group used publicly available tools to unobtrusively penetrate weak points and access credentials. Researchers have found that the tactics employed by the group are similar to the methods used by the DarkSide group, namely, encrypting a target’s data, stealing some of it, and threatening to leak the same online if the ransom is not paid.

Vulnerability Analysis of CVE exploited by FiveHands Ransomware Group

It has been found that a security flaw in SonicWall Virtual Private Network (VPN) SMA100 served as the first attack vector. This allowed the attackers behind FiveHands to infiltrate internal systems by submitting a specially crafted query. The attack occurred within a few days of the CVE becoming publicly available in the NVD.


A Timeline Analysis of CVE-2021-20016

Vendor publishes CVE January 23, 2021
Ransomware exploits CVE Between January 23 and February 3, 2021
Patch releases for CVE February 3, 2021
NVD publishes CVE February 4, 2021
CVE starts trending May 2021


We analyzed the exploited SonicWall loophole and have outlined our findings below.

  • CVE-2021-20016 was an SQL injection vulnerability in the SonicWall Secure Mobile Access (SMA) 100 Series VPN appliance.
  • The CVE has been marked as a critical vulnerability with a CVSS V3 score of 9.8.
  • It is categorized under CWE-89 – a weakness category that could result in the misuse of sensitive data in the SQL database. Incidentally, CWE-89 ranks sixth among the top 25 dangerous software weaknesses released by MITRE.
  • The vulnerability was seen across six products from SonicWall:
    • SMA 100 firmware
    • SMA 200 firmware
    • SMA 210 firmware
    • SMA 400 firmware
    • SMA 410 firmware
    • SMA 500V
  • A patch has been available since February 3, 2021 and yet we found that the CVE is still trending, highlighting the fact that organizations are not prioritizing weaknesses based on their threat context.
  • Researchers tracked the group behind FiveHands as UNC2447, an uncategorized Advanced Persistent Threat (APT) group. Only ongoing research will reveal if FiveHands is an existing APT group or a new find altogether.

Incidentally, the CVE-2021-20016 used by FiveHands was also exploited in the recent Colonial Pipeline attack by the DarkSide ransomware group in May 2021.

Attack Methodology

The ransomware intrusions in the SonicWall attack leveraged a combination of testing and exploitation tools to steal data and encrypt files. The attackers demanded a ransom, failing which the stolen data was to be leaked on hacker forums.

  • A PowerShell dropper, Warprism, was used to discreetly gain initial access into the application.
  • A command-line utility tool, Foxgrabber, was used to extract user credentials from remote systems.
  • A Cobalt Strike payload, the Beacon HTTPS Stager, was deployed to command and control the compromised host using HTTPS protocol.
  • The components of UNC2447 toolbox were utilized to manipulate Windows security settings, firewall rules, and antivirus protection.
  • Finally, the payload was introduced directly into memory via a SombRAT remote access trojan, providing for file obfuscation and arbitrary code execution.

Sectors Impacted

Companies from multiple industrial sectors have been affected by FiveHands Ransomware. Primarily, these attacks have been observed in healthcare, telecommunications, construction, engineering, education, real estate, and food and beverage organizations.


Geographically, the threat group behind the attacks has been observed focusing on organizations across Europe and North America, and more recently the US and Japan.

Predicting potentially dangerous consequences, the Cybersecuirty and Infrastructure Security Agency (CISA) issued an alert on May 6, 2021 declaring the FiveHands ransomware variant as a cause for concern.

FiveHands MITRE ATT&CK Mapping


T1190 – Exploit Public-Facing Application
TA0007 – Discovery
T1046 – Network Service Scanning
MD5 Hashes:


SHA256 Hashes:


A Risk-Based Approach to Ransomware

Ransomware attacks are on the rise and the attack methods are constantly evolving. As evident from the recent SonicWall VPN and Colonial Pipeline attacks, threat actors have begun exploiting yet to be published zero-day vulnerabilities. Huge ransomware payouts are emboldening attackers to target critical entities. Organizations need to adopt a risk-based approach to continuously identify, prioritize, and remediate vulnerabilities immediately.


To implement this approach, organizations need to be supported by an Attack Surface Management (ASM) solution that provides timely updates and accurate threat context on currently trending vulnerabilities.

Concerned about being targeted by ransomware attacks?  

Get in touch with us for a Ransomware Assessment.


CSW’s Ransomware Assessment is powered by Vulnerability Intelligence (VI), a dynamic and current single source of truth that looks beyond the NVD to collate a comprehensive list of vulnerabilities and associated ransomware. Backed by this database, CSW helps organizations prioritize vulnerabilities and provides a threat context to their risks.


Share This Post On