A ransomware group caught targeting a recently patched SonicWall vulnerability leveraged that vulnerability before the patch became available, Mandiant reported Thursday.
The vulnerability, a SQL injection bug in SonicWall’s SMA-100 series of remote access products, was already used in a headline-grabbing attack. Hackers used the vulnerability as a zero-day to breach SonicWall itself prior to the patch announcement in January. The latest findings show that another group also sought to take advantage.
Mandiant first observed the ransomware group, which Mandiant has dubbed UNC2447, targeting SonicWall SMA-100 customers organizations in the U.S. and Europe. The group uses a combination of SombRAT and a previously uncatalogued variant of the DeathRansom ransomware that Mandiant calls FIVEHANDS.
Mandiant researchers saw the group deploy the FIVEHANDS malware in January; but the group is older, and forensically tied to hacks using newly disclosed dropper WARPRISM and Colbalt Strike Beacon. Mandiant also believes UNC2447 has used Ragnor Locker ransomware in the past.
FIVEHANDS appears to be affiliate ransomware, wrote Mandiant, the successor to another rewrite of DeathRansom known as HelloKitty. The HelloKitty ransomware was most famously used to hold up games designer CD Projekt Red. FIVEHANDS improves on its predecessors by using a new, memory-only dropper and applying encryption to a wider array of file types.
Since the ransomware is being used in affiliate programs, other groups may be using it as well.
The SonicWall vulnerability affected the 10.x firmware up until the January 23 update to 10.2.