{
	"id": "2b8430cf-f5ff-4e29-a0a1-744066a523ae",
	"created_at": "2026-04-06T00:14:18.760292Z",
	"updated_at": "2026-04-10T13:12:16.260896Z",
	"deleted_at": null,
	"sha1_hash": "4cf44882bff6f955dc0224d7aae112c0d03636f1",
	"title": "Rewterz Threat Alert - Financially Motivated Aggressive Group Carrying Out Ransomware Campaigns - Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278557,
	"plain_text": "Rewterz Threat Alert - Financially Motivated Aggressive Group\r\nCarrying Out Ransomware Campaigns - Active IOCs - Rewterz\r\nPublished: 2021-05-03 · Archived: 2026-04-05 16:18:12 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nThe group recognized as UNC2447 is found exploiting the SonicWall VPN zero-day vulnerability since a patch\r\nhas not rolled out for the exploit yet. The malware being deployed was previously prevalent with the name\r\n“SOMBRAT.” SOMBRAT is being used for ransomware – which was not previously reported.\r\nFIVEHANDS ransomware is first used by the group and later on the victims are extorted through media attention\r\nand data sale threats. The group targets organizations in Europe and North America. They have also displayed\r\nadvanced capabilities of evading detection and minimize post-intrusion forensics.\r\nUNC2447 was previously found using RAGNARLOCKER ransomware. HELLOKITTY and FIVEHANDS were\r\nused by the system and HELLOKITTY was being used from May 2020 to December 2020, and FIVEHANDS is\r\nbeing actively used since then.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs\r\nPage 1 of 4\n\nImpact\r\nFiles Encryption\r\nIndicators of Compromise\r\nDomain Name\r\nCosarm[.]com\r\nPortalcos[.]com\r\nMD5\r\n87c78d62fd35bb25e34abb8f4caace4a\r\n6382d48fae675084d30ccb69b4664cbb\r\n39ea2394a6e6c39c5d7722dc996daf05\r\nf568229e696c0e82abb35ec73d162d5e\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs\r\nPage 2 of 4\n\n6c849920155f48d4b4aafce0fc49eb5b\r\n22d35005e926fe29379cb07b810a6075\r\n57824214710bc0cdb22463571a72afd0\r\n87c0b190e3b4ab9214e10a2d1c182153\r\n1b0b9e4cddcbcb02affe9c8124855e58\r\n46ecc24ef6d20f3eaf71ff37610d57d1\r\n1a79b6d169aac719c9323bc3ee4a8361\r\na64d79eba40229ae9aaebbd73938b985\r\nSHA-256\r\n61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9\r\n99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e\r\n61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9\r\n02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851\r\nc2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323\r\ndc007e71085297883ca68a919e37687427b7e6db0c24ca014c148f226d8dd98f\r\n947e357bfdfe411be6c97af6559fd1cdc5c9d6f5cea122bf174d124ee03d2de8\r\nef614b456ca4eaa8156a895f450577600ad41bd553b4512ae6abf3fb8b5eb04e\r\nbade05a30aba181ffbe4325c1ba6c76ef9e02cbe41a4190bd3671152c51c4a7b\r\n52dace403e8f9b4f7ea20c0c3565fa11b6953b404a7d49d63af237a57b36fd2a\r\na147945635d5bd0fa832c9b55bc3ebcea7a7787e8f89b98a44279f8eddda2a77\r\n0e5f7737704c8f25b2b8157561be54a463057cd4d79c7e016c30a1cf6590a85c\r\n7be901c5f7ffeb8f99e4f5813c259d0227335680380ed06df03fb836a041cb06\r\nSHA1\r\nffa5e945264288d4dec91d6871636f67624fd6ea\r\n0b4aeaff91b347197310fcbd432e2fe06d583b57\r\nca010ca1e7d5104049c09eefca128cc0e50729e1\r\n71889fdf2d7616f366c38072ef3d24b021068ab8\r\ne8044ecd514574b71c353a9b640c8d6705a8051c\r\na0181227dcb49b9417b468eeb38a2f8655553409\r\ndc8595989fc1bc784138b56cf32e8b194f425727\r\n2c916c1c094e35577ca0b863168dee48991f1a2c\r\n8fb41b6d5186cc996b4b92e812407a1adee8932f\r\n2342cc02a5ac26fd78603ac82e2d90e1b54ff71f\r\nc4a1eb629133a63dbfc7bdae189bfa73168c260c\r\ne6e4f57df5c0db2aa0d64ca7b5fb65a4395e3b5f\r\nRemediation\r\nDownload and install the latest patches for browsers.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs\r\nPage 3 of 4\n\nBe vigilant while browsing the internet and do not open spam email.\r\nBeware of suspicious users and emails.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaig\r\nns-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs"
	],
	"report_names": [
		"rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs"
	],
	"threat_actors": [
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434458,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4cf44882bff6f955dc0224d7aae112c0d03636f1.pdf",
		"text": "https://archive.orkl.eu/4cf44882bff6f955dc0224d7aae112c0d03636f1.txt",
		"img": "https://archive.orkl.eu/4cf44882bff6f955dc0224d7aae112c0d03636f1.jpg"
	}
}