FIVEHANDS

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

FiveHands, also known as HelloKitty, is a sophisticated form of malware that primarily targets financial institutions. It was first reported by Mandiant in April 2021 as part of a cyber threat posed by the UNC2447 group. The ransomware is typically delivered through Encryptor.exe, a loader that initiates the malicious software on the victim's device. FiveHands has been associated with other notorious ransomware strains such as Abyss Locker and DeathRansom, demonstrating its evolution and adaptability to exploit various vulnerabilities. In November 2021, the FBI issued a flash alert warning private organizations about the evolution of the FiveHands ransomware. This followed incidents where SonicWall appliances, often used by businesses for network security, were targeted by FiveHands and other ransomware gangs. The malware has also been linked to significant disruptions, including the compromise of VMware ESXi instances and CD Projekt Red, highlighting its potential for large-scale damage. PQ Hosting, a web hosting service, has been implicated in hosting infamous ransomware like FiveHands and DarkSide. Notably, DarkSide was responsible for the high-profile attack on US energy company Colonial Pipeline in 2021, leading to a shutdown of critical energy infrastructure. This incident underscores the severe real-world implications of ransomware attacks and the importance of robust cybersecurity measures to protect against threats like FiveHands.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
HELLOKITTY	5	HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat
DEATHRANSOM	2	DeathRansom is a form of malware, specifically ransomware, known for its damaging effects on computer systems. It operates by infiltrating systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ranso

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

T1490

Windows

T1047

Ransom

T1055

T1082

T1124

T1485

t1071.001

T1572

Cobalt Strike

Facebook

Malware

T1078

t1053.005

t1059.001

T1106

T1045

T1140

T1012

T1046

T1057

T1135

t1560.003

T1486

t1090.002

Proxy

t1573.002

T1041

Encryption

Payload

Beacon

Encrypt

Esxi

Sonicwall

Backdoor

Dropper

Loader

t1569.002

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
SombRAT	is related to	3	Sombrat is a sophisticated malware that poses a significant financial threat, as reported by Mandiant in April 2021. It operates in conjunction with FIVEHANDS Ransomware under the umbrella of UNC2447, a malicious cyber activity group. The malware infects systems through suspicious downloads, emails,
Cobalt Strike Beacon	Unspecified	1	Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
malware.binary.exe	Unspecified	1	None
Abyss Locker	Unspecified	1	Abyss Locker is a formidable strain of malware, specifically ransomware, that has been observed targeting both Microsoft Windows and Linux platforms. This malicious software operates by infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT10	Unspecified	1	APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
Havex	Unspecified	1	Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Syst
DarkSide	Unspecified	1	DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the FIVEHANDS Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
InfoSecurity-magazine	6 months ago	Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
CERT-EU	6 months ago	Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
CERT-EU	7 months ago	Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU	7 months ago	Infographic: A History of Network Device Threats and What Lies Ahead \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	HelloKitty ransomware source code exposed
Malwarebytes	9 months ago	Apache ActiveMQ vulnerability used in ransomware attacks \| Malwarebytes
Securityaffairs	10 months ago	The source code of the 2020 variant of HelloKitty ransomware was leaked on cybercrime forum
CERT-EU	10 months ago	The source code of the 2020 variant of HelloKitty ransomware was leaked on cybercrime forum \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations \| CISA
CISA	10 months ago	NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations \| CISA
MITRE	a year ago	UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat \| Mandiant
MITRE	a year ago	FiveHands Ransomware \| CISA
MITRE	a year ago	Handy guide to a new Fivehands ransomware variant