Mandiant has observed an aggressive financially motivated group,
UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to
a patch being available and deploying sophisticated malware previously
reported by other vendors as SOMBRAT. Mandiant has linked the use of
SOMBRAT to the deployment of ransomware, which has not been previously
UNC2447 monetizes intrusions by extorting their victims first with
FIVEHANDS ransomware followed by aggressively applying pressure
through threats of media attention and offering victim data for sale
on hacker forums. UNC2447 has been observed targeting organizations in
Europe and North America and has consistently displayed advanced
capabilities to evade detection and minimize post-intrusion forensics.
Mandiant has observed evidence of UNC2447 affiliated actors
previously using RAGNARLOCKER ransomware. Based on technical and
temporal observations of HELLOKITTY and FIVEHANDS deployments,
Mandiant suspects that HELLOKITTY may have been used by an overall
affiliate program from May 2020 through December 2020, and FIVEHANDS
since approximately January 2021.
In November 2020, Mandiant created UNC2447, an uncategorized group
observed using the novel WARPRISM PowerShell dropper to install BEACON
at two Mandiant Managed Defense clients. Mandiant Managed Defence
quicky neutralized these intrusions and did not observe attempts to
In January and February 2021, Mandiant Consulting observed a novel
rewrite of DEATHRANSOM—dubbed FIVEHANDS—along with SOMBRAT at multiple
victims that were extorted. During one of the ransomware intrusions,
the same WARPRISM and BEACON samples previously clustered under
UNC2447 were observed. Mandiant was able to forensically link the use
of WARPRISM, BEACON, SOMBRAT and FIVEHANDS to the same actor.
Mandiant suspects that HELLOKITTY activity in late-2020 may be
related to the overall affiliate program and that usage shifted to
FIVEHANDS ransomware beginning in January 2021.
- In April 2021, Mandiant observed a private FIVEHANDS TOR chat
using a HELLOKITTY favicon (Figure 1).
Figure 1: FIVEHANDS Hello Kitty icon
When affiliate-based ransomware is observed by Mandiant,
uncategorized clusters are assigned based on the infrastructure used,
and in the case of UNC2447 were based on the SOMBRAT and Cobalt Strike
BEACON infrastructure used across 5 intrusions between November 2020
and February 2021. Generally, Mandiant uses caution even with novel
malware such as SOMBRAT and WARPRISM and clusters each use rigorously
according to all observed activity. For more information on
uncategorized threats, refer to our post, “DebUNCing
Attribution: How Mandiant Tracks Uncategorized Threat Actors.”
SonicWall SMA 100 Series Appliance Vulnerability
CVE-2021-20016 is a critical SQL injection vulnerability that
exploits unpatched SonicWall Secure Mobile Access SMA 100 series
remote access products. A remote, unauthenticated attacker could
submit a specially crafted query in order to exploit the
vulnerability. Successful exploitation would grant an attacker the
ability to access login credentials (username, password) as well as
session information that could then be used to log into a vulnerable
unpatched SMA 100 series appliance. This vulnerability only impacted
the SMA 100 series and was patched by SonicWall in February 2021. For
more information on this vulnerability, please refer to SonicWall
PSIRT advisory SNWLID-2021-0001.
WARPRISM is a PowerShell dropper that has been observed by Mandiant
delivering SUNCRYPT, BEACON, and MIMIKATZ. WARPRISM is used to evade
endpoint detection and will load its payload directly into memory.
WARPRISM may be used by multiple groups.
FOXGRABBER is a command line utility used to harvest FireFox
credential files from remote systems. It contains the PDB path:
has also been observed in DARKSIDE ransomware intrusions.
BEACON Malleable Profiles
In the initial stages of an intrusion, UNC2447 uses the Cobalt
Strike BEACON HTTPSSTAGER implant for persistence to communicate with
command-and-control (C2) servers over HTTPS and has been observed
using ‘chches_APT10’ and ‘Havex’ Malleable profiles.
During the recon and exfiltration stage of intrusions, UNC2447 has
been observed using the following tools: ADFIND, BLOODHOUND, MIMIKATZ,
PCHUNTER, RCLONE, ROUTERSCAN, S3BROWSER, ZAP and 7ZIP. UNC2447 may
tamper with windows security settings, firewall rules, and antivirus protection.
SOMBRAT was first reported by Blackberry Cylance in November 2020 as
CostaRicto Campaign: Cyber-Espionage Outsourced” as a
potential espionage-for-hire criminal group. Mandiant has now observed
SOMBRAT alongside FIVEHANDS ransomware intrusions.
The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It
communicates with a configurable command and control (C2) server via
multiple protocols, including DNS, TLS-encrypted TCP, and potentially
WebSockets. Although the backdoor supports dozens of commands, most of
them enable the operator to manipulate an encrypted storage file and
reconfigure the implant. The backdoor’s primary purpose is to download
and execute plugins provided via the C2 server. In contrast to the
SOMBRAT version published in November 2020, Mandiant observed
additional obfuscation and armoring to evade detection, this SOMBRAT
variant has been hardened to discourage analysis. Program metadata
typically included by the compiler has been stripped and strings have
been inlined and encoded via XOR-based routines.
The SOMBRAT Launcher
This SOMBRAT backdoor variant must be deployed alongside four
additional resources that serve as launchers. They are typically
installed to the hardcoded directory path `C:ProgramDataMicrosoft`.
- path: `C:programdataMicrosoftWwanSvc.bat` – launcher for
- path: `C:programdataMicrosoftWwanSvc.txt` –
decoder and launcher for `WwanSvc.c`
`C:programdataMicrosoftWwanSvc.c` – decoder and launcher for
- path: `C:programdataMicrosoftWwanSvc.a` – XOR
- path: `C:programdataMicrosoftWwanSvc.b` – encoded
- path: `%TEMP%<possibly unique random
name>` – encrypted storage file
`%TEMP%<possibly unique random name _<integer>` –
encrypted storage file
- path: `C:ProgramData<possibly
unique random name ` – encrypted configuration file
Other variations of the filenames were observed such as ntuser and wapsvc.
SOMBRAT Technical Details
The SOMBRAT backdoor is written in modern C++ and implemented as a
collection of “plugins” that interoperate with one another.
There are five plugins distributed with this variant: `core`,
`network`, `storage`, `taskman`, and `debug` (the `config` plugin
described by Blackberry is not present). The core plugins communicate
with the C2 server via messages sent over a common networking layer;
each plugin supports its own set of messages, and the backdoor
protocol can be extended by dynamically loaded plugins.
The `core` plugin coordinates state tracking, such as network
connectivity, and dynamic plugin loading and unloading. The `network`
plugin configures the networking layer used to communicate with the C2
server, for example enabling the operator to switch between DNS and
TCP protocols. The `storage` plugin exposes logical operations, such
as read and write, for an encrypted file used to store plugins,
resources, and arbitrary data. The `taskman` plugin enables the
operator to list and kill processes on the compromised system.
Finally, the `debuglog` plugin supports a single command to records
Given that the core plugins do not enable an operator directly
execute arbitrary commands or reconfigure the system, the primary
function of the SOMBRAT backdoor is to load plugins provided via the
C2 server. These plugins may be shellcode or DLL modules to be
dynamically loaded. The C2 server may instruct the backdoor to load
the plugins directly or persist them into the encrypted storage file,
where they may subsequently be reloaded, such as after upgrading the backdoor.
Figure 2: Malware author mark “No one is
perfect except me.”
SOMBRAT evades forensic analysis by patching the process memory used
to record command line arguments. It replaces the initial command line
with the base filename of the program executable, removing any
arguments. This means that investigators that inspect a process
listing via memory forensics will see the innocuous-looking command
line `powershell.exe` rather than references to the uncommon filename
such as `WwanSvc.c`.
SOMBRAT Network Communications
The SOMBRAT backdoor can communicate with its C2 server using both
DNS and a proxy-aware, TLS-encrypted stream protocol. By default, the
backdoor uses the DNS protocol; however, this can be reconfigured by
the C2 server. Mandiant observed the domains feticost[.]com and
celomito[.]com used for DNS C2 communications.
When the backdoor communicates via its DNS protocol, it constructs
and resolves FQDNs, interpreting the DNS results to extract C2
messages. The authoritative DNS server embeds data within the IP
address field of DNS A record results and within the Name
Administrator field of DNS TEXT record results. By making many
requests to unique subdomains of the C2 domain, the backdoor can
slowly transmit information a few bytes at a time.
Beginning in October 2020, Mandiant observed samples of a customized
version of DEATHRANSOM. This newly modified version removed the
language check feature (Figure 3 shows the language check of DEATHRANSOM).
Figure 3: Language check from Fortinet blog
- HELLOKITTY ransomware—used to target
Polish video game developer CD Projekt Red—is reportedly built
- HELLOKITTY is named after a mutex named
‘HELLOKITTYMutex,’ used when the malware executable is launched
(see Figure 4).
- HELLOKITTY is named after a mutex named
Figure 4: HELLOKITTY mutex shown in
- CEMIG (Companhia Energética de Minas Gerais), a Brazilian
electric power company, revealed
on Facebook in late December 2020 that it was a victim
of HELLOKITTY cyber attack.
In January 2021, Mandiant observed a new ransomware deployed against
a victim and assigned the name FIVEHANDS.
- Analysis of FIVEHANDS revealed high similarity to DEATHRANSOM,
sharing several features, functions, and coding similarities. Absent
in FIVEHANDS is a language check, similar to HELLOKITTY
- Both DEATHRANSOM and FIVEHANDS drops a ransom note in all
Technical Comparison of FIVEHANDS, HELLOKITTY and DEATHRANSOM
DEATHRANSOM is written in C while the other two families are written
in C++. DEATHRANSOM uses a distinct series of do/while loops to
enumerate through network resources, logical drives, and directories.
It also uses QueueUserWorkItem to implement thread pooling for its
file encryption threads.
HELLOKITTY is written in C++, but reimplements a significant portion
of DEATHRANSOM’s functionality using similar loop operations and
thread pooling via QueueUserWorkItem. The code structure to enumerate
network resources, logical drives, and perform file encryption is very
similar. Additionally, HELLOKITTY and DEATHRANSOM share very similar
functions to check for the completion status of their encryption
threads before exiting.
FIVEHANDS is written in C++ and although high level functionality is
similar, the function calls and code structure to implement the
majority of the functionality is written differently. Also, instead of
executing threads using QueueUserWorkItem, FIVEHANDS uses
IoCompletionPorts to more efficiently manage its encryption threads.
FIVEHANDS also uses more functionality from the C++ standard template
library (STL) than does HELLOKITTY.
Deletion of Volume Shadow Copies
DEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete
volume shadow copies via WMI by performing the query select * from
Win32_ShadowCopy and then deleting each instance returned by its id.
Each of these three malware families utilizes a similar encryption
scheme. An asymmetric public key is either hard-coded or generated. A
unique symmetric key is generated for each encrypted file.
- After each file is encrypted, the asymmetric key will encrypt
the symmetric key and append it to the encrypted file. Additionally,
a unique four byte magic value is appended to the end of the
encrypted file. The malware checks for these magic bytes to ensure
it does not encrypt a previously encrypted file again.
- DEATHRANSOM and HELLOKITTY implement the file encryption
operations using a very similar code structure and flow.
- FIVEHANDS implements its file encryption with a differing code
structure and uses different embedded encryption libraries.
- In addition to the symmetric key, HELLOKITTY and FIVEHANDS also
encrypts file metadata with the public key and appends this to the
- DEATHRANSOM generates an RSA key pair while
HELLOKITTY and FIVEHANDS use an embedded RSA or NTRU public
- DEATHRANSOM creates an RSA-2048 public and private key pair.
Using an Elliptic-curve Diffie–Hellman (ECDH) routine implemented
with Curve25519, it computes a shared secret using two input values:
1) 32 random bytes from a RtlGenRandom call and 2) a hardcoded 32
byte value (attacker’s public key). It also create a Curve25519
public key. The shared secret is SHA256 hashed and used as the key
to Salsa20 encrypt the RSA public and private keys.
- The RSA
public key is used to encrypt the individual symmetric keys that are
used to encrypt each file. A Base64 encoded version of the encrypted
RSA keys and the victim’s Curve25519 public key is included in the
ransom note, providing the threat actors the information needed to
decrypt the victim’s files.
- For the symmetric key,
DEATHRANSOM calls RtlGenRandom to generate 32 random bytes. This is
the 32 byte key used to AES encrypt each file. After the file is
encrypted, the AES key is encrypted with the public RSA key and
appended to the file.
- DEATHRANSOM lastly appends the four
magic bytes of AB CD EF AB at the end of the encrypted file and uses
this as a check to ensure that it does not encrypt an already
- The analyzed DEATHRANSOM sample used for
comparison does not change the file extension.
- HELLOKITTY contains an embedded RSA-2048 public key. This
public key is SHA256 hashed and used as the victim ID within the
ransom note. This RSA pubic key is also used to encrypt each file’s
- For the symmetric key, HelloKitty generates
a 32 byte seed value based on the CPU timestamp. A Salsa20 key is
generated and encrypts a second 32 byte seed value. The encrypted
result is XOR’d with the first seed, resulting in a 32 byte key used
to AES encrypt each file.
- After each file is encrypted, the
original file size, magic value of DE C0 AD BA, and AES key are
encrypted with the public RSA key and appended to the file.
HELLOKITTY and FIVEHANDS appends this additional metadata to the
encrypted file, while DEATHRANSOM does not.
- Lastly it
appends the four magic bytes DA DC CC AB to the end of the encrypted
- Depending on the version, HELLOKITTY may or may not
change the file extension.
- Other samples of HELLOKITTY have
used an embedded NTRU public key instead of RSA.
- FIVEHANDS uses an embedded NTRU public key. This NTRU key is
SHA512 hashed and the first 32 bytes are used as the victim ID
within the ransom note. This NTRU pubic key is also used to encrypt
each file’s symmetric key.
- For the symmetric key, FIVEHANDS
uses an embedded generation routine to produce 16 random bytes used
for an AES key to encrypt each file.
- After each file is
encrypted, the original file size, magic value of DE C0 AD BA, and
AES key are encrypted with the public NTRU key and appended to the
- The four magic bytes DB DC CC AB are appended to the
end of the encrypted file.
- FIVEHANDS includes additional
code not found in DEATHRANSOM and HELLOKITTY to use the Windows
Restart Manager to close a file currently in use so that it can be
unlocked and successfully encrypted.
- The encrypted file
extension is changed to .crypt extension
encryption flow and sequence is very different from the other two,
partially because it incorporates asynchronous I/O requests and uses
different embedded encryption libraries.
FIVEHANDS Encrypted Dropper
One significant change between DEATHRANSOM and FIVEHANDS is the use
of a memory-only dropper, which upon execution, expects a command line
switch of -key followed by the key value necessary to perform
decryption of its payload. The payload is stored and encrypted with
AES-128 using an IV of “85471kayecaxaubv”. The decrypted FIVEHANDS
payload is immediately executed after decryption. To date, Mandiant
has only observed encrypted droppers with a common imphash of 8517cf209c905e801241690648f36a97.
FIVEHANDS can receive a CLI argument for a path, this limits the
ransomware’s file encryption activities to the specified directory.
DEATHRANSOM and HELLOKITTY do not accept CLI arguments.
Locale and Mutex checks
DEATHRANSOM performs language ID and keyboard layout checks. If
either of these match Russian, Kazakh, Belarusian, Ukrainian or Tatar
it exits. Neither HELLOKITTY or FIVEHANDS perform language ID or
HELLOKITTY performs a mutex check while the other two do not perform
DEATHRANSOM and HELLOKITTY both exclude the same directories and files:
programdata, $recycle.bin, program files, windows, all users,
appdata, read_me.txt, autoexec.bat, desktop.ini, autorun.inf,
ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, or thumbs.db.
The exclusions for FIVEHANDS are more extensive and contain
additional files and directories to ignore.
- DEATHRANSOM makes an external HTTPS connection to download a
file. Neither HELLOKITTY or FIVEHANDS initiate network
- HELLOKITTY contains code to set the victims
wallpaper to a ransom related image. The other samples do not have
- Different versions of DEATHRANSOM and
HELLOKITTY are known to change the file extension
versions of HELLOKITTY are known to check for specific processes to
Embedded NTRU Key
Embedded RSA or NTRU Key
Curve25519 ECDH and RSA key creation
Same directory and file name exclusions
Accepts CLI Arguments
Bytes Appended to Encrypted Files
DB DC CC AB
AB CD EF AB
Table 1: Ransomware feature comparison
Mandiant observed SOMBRAT and FIVEHANDS ransomware by the same group
since January 2021. While similarities between HELLOKITTY and
FIVEHANDS are notable, ransomware may be used by different groups
through underground affiliate programs. Mandiant will assign an
uncategorized cluster based on multiple factors including
infrastructure used during intrusions and as such, not all SOMBRAT or
FIVEHANDS ransomware intrusions may have been conducted by UNC2447.
WARPRISM and FOXGRABBER have been used in SUNCRYPT and DARKSIDE
ransomware demonstrating additional complexity and sharing between
different ransomware affiliate programs.
- cf1b9284d239928cce1839ea8919a7af (wwansvc.a XOR key)
- 4aa3eab3f657498f52757dc46b8d1f11 (wwansvc.c)
- 1f6495ea7606a15daa79be93070159a8 (wwansvc.bat)
- 31dcd09eb9fa2050aadc0e6ca05957bf (wwansvc.b)
- edf567bd19d09b0bab4a8d068af15572 (wwansvc.b)
- a5b26931a1519e9ceda04b4c997bb01f (wwansvc.txt)
- Celomito[.]com (unc2447)
FIVEHANDS Encrypted Dropper
- c925822c6d5175c30ba96388b07e9e16 (unc2447)
- 64.227.24[.]12 Havex Profile January 2021
- 157.230.184[.]142 chches_ APT10 Profile November 2020-January
FireEye Network Security
FireEye Email Security
FireEye Detection On
FireEye Malware Analysis
FireEye EndPoint Security
Malware Protection (AV/MG)
Command and Control
Thanks to Nick Richard for technical review, Genevieve Stark and
Kimberly Goody for analytical contributions, and Jon Erickson,
Jonathan Lepore, and Stephen Eckels for analysis incorporated into
this blog post.