Hackers used SonicWall zero-day flaw to plant ransomware

Security researchers have discovered a new strain of ransomware designed to exploit a SonicWall VPN zero-day vulnerability before a patch was available.

According to researchers at Mandiant, the flaw exists in SonicWall’s SMA-100 series of VPN products. Hackers, who Mandiant dubbed UNC2447, targeted organizations in Europe and North America with a new ransomware known as FiveHands, a rewritten version of the DeathRansom ransomware.

Hackers deployed the malware as early as January this year along with Sombrat malware at multiple victims that were extorted. Researchers noted that in one of the ransomware intrusions, the same Warprism and Beacon malware samples previously attributed to UNC2447 were observed. Researchers are certain that the same hacking group used Ragnar Locker ransomware in the past.

“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” the researchers said.

Researchers said FiveHands is suspected to be affiliate ransomware and the successor to another variant of DeathRansom called HelloKitty. The HelloKitty ransomware has been used to hold games firm CD Projekt Red to ransom. They added that they observed a private FiveHands Tor chat earlier this month using a Hello Kitty favicon.

The new FiveHands malware improves on HelloKitty and DeathRansom by using a memory-only dropper and encryption on more files and folders. The malware can also "use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted."

The exploit the ransomware uses is CVE-2021-20016, a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products. Researchers said this flaw allows a remote, unauthenticated attacker to submit a specially crafted query to exploit the vulnerability.

“Successful exploitation would grant an attacker the ability to access login credentials (username, password) as well as session information that could then be used to log into a vulnerable unpatched SMA 100 series appliance,” said researchers

This vulnerability only impacted the SMA 100 series and was patched by SonicWall in February 2021.

The hackers make money from intrusions by extorting their victims first with FiveHands ransomware. That is “followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” according to researchers.

"UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics."

Researchers said while similarities between HelloKitty and FiveHands are notable, different groups may use ransomware through underground affiliate programs.