FIVEHANDS
FiveHands is a ransomware family described as a rewrite of DEATHRANSOM, observed by Mandiant in January and February 2021 at multiple extorted victims. It has been linked to financially motivated intrusions involving the UNC2447 cluster and was also reported by Microsoft as developed and deployed by DEV-0230, a prolific Conti affiliate that also deployed HelloKitty. Mandiant reported exploitation of the SonicWall SMA 100 zero-day CVE-2021-20016 beginning in January 2021 to deploy FiveHands, and noted targeting in Europe and North America in UNC2447-related activity.
Documented capabilities include encrypting data for ransom using an embedded NTRU public key, enumerating network shares and mounted drives, accepting a command-line argument to restrict encryption to specified directories, using WMI to delete files on target machines, and deleting volume shadow copies on compromised hosts to inhibit recovery. Mandiant also reported a newer FiveHands variant and noted observations suggesting a link to UNC2447. The malware has been observed alongside the SOMBRAT backdoor in ransomware intrusions. Reported associated tooling and intrusion activity in related campaigns included WARPRISM, Cobalt Strike BEACON, FOXGRABBER, ADFIND, BLOODHOUND, MIMIKATZ, RCLONE, ROUTERSCAN, S3BROWSER, ZAP, and 7ZIP. High-confidence context indicates FiveHands was used in extortion operations and in some cases accompanied by threats of media exposure and sale of stolen data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Mandiant said in April that the CVE-2021-20016 SMA 100 zero-day was exploited to deploy a new ransomware strain known as FiveHands starting with January...
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads...
In January and February 2021, Mandiant Consulting observed a novel rewrite of DEATHRANSOM—dubbed FIVEHANDS—along with SOMBRAT at multiple victims that were extorted.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Stealth
4 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Impact
2 techniques
Impact
Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware capable of deleting volume shadow copies on compromised hosts.
Ransomware payload developed and deployed by DEV-0230.
FiveHands is a ransomware family observed in the wild, with new variants being tracked. It is used to encrypt victim data and demand ransom payments.
Ransomware strain reportedly deployed after exploitation of SonicWall SMA 100 (CVE-2021-20016), used to compromise targets including SonicWall internal systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.