Rewterz Threat Alert - Financially Motivated Aggressive Group Carrying Out Ransomware Campaigns - Active IOCs - Rewterz Published: 2021-05-03 · Archived: 2026-04-05 16:18:12 UTC Severity High Analysis Summary The group recognized as UNC2447 is found exploiting the SonicWall VPN zero-day vulnerability since a patch has not rolled out for the exploit yet. The malware being deployed was previously prevalent with the name “SOMBRAT.” SOMBRAT is being used for ransomware – which was not previously reported. FIVEHANDS ransomware is first used by the group and later on the victims are extorted through media attention and data sale threats. The group targets organizations in Europe and North America. They have also displayed advanced capabilities of evading detection and minimize post-intrusion forensics. UNC2447 was previously found using RAGNARLOCKER ransomware. HELLOKITTY and FIVEHANDS were used by the system and HELLOKITTY was being used from May 2020 to December 2020, and FIVEHANDS is being actively used since then. https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs Page 1 of 4 Impact Files Encryption Indicators of Compromise Domain Name Cosarm[.]com Portalcos[.]com MD5 87c78d62fd35bb25e34abb8f4caace4a 6382d48fae675084d30ccb69b4664cbb 39ea2394a6e6c39c5d7722dc996daf05 f568229e696c0e82abb35ec73d162d5e https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs Page 2 of 4 6c849920155f48d4b4aafce0fc49eb5b 22d35005e926fe29379cb07b810a6075 57824214710bc0cdb22463571a72afd0 87c0b190e3b4ab9214e10a2d1c182153 1b0b9e4cddcbcb02affe9c8124855e58 46ecc24ef6d20f3eaf71ff37610d57d1 1a79b6d169aac719c9323bc3ee4a8361 a64d79eba40229ae9aaebbd73938b985 SHA-256 61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9 99baffcd7a6b939b72c99af7c1e88523a50053ab966a079d9bf268aff884426e 61e286c62e556ac79b01c17357176e58efb67d86c5d17407e128094c3151f7f9 02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851 c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323 dc007e71085297883ca68a919e37687427b7e6db0c24ca014c148f226d8dd98f 947e357bfdfe411be6c97af6559fd1cdc5c9d6f5cea122bf174d124ee03d2de8 ef614b456ca4eaa8156a895f450577600ad41bd553b4512ae6abf3fb8b5eb04e bade05a30aba181ffbe4325c1ba6c76ef9e02cbe41a4190bd3671152c51c4a7b 52dace403e8f9b4f7ea20c0c3565fa11b6953b404a7d49d63af237a57b36fd2a a147945635d5bd0fa832c9b55bc3ebcea7a7787e8f89b98a44279f8eddda2a77 0e5f7737704c8f25b2b8157561be54a463057cd4d79c7e016c30a1cf6590a85c 7be901c5f7ffeb8f99e4f5813c259d0227335680380ed06df03fb836a041cb06 SHA1 ffa5e945264288d4dec91d6871636f67624fd6ea 0b4aeaff91b347197310fcbd432e2fe06d583b57 ca010ca1e7d5104049c09eefca128cc0e50729e1 71889fdf2d7616f366c38072ef3d24b021068ab8 e8044ecd514574b71c353a9b640c8d6705a8051c a0181227dcb49b9417b468eeb38a2f8655553409 dc8595989fc1bc784138b56cf32e8b194f425727 2c916c1c094e35577ca0b863168dee48991f1a2c 8fb41b6d5186cc996b4b92e812407a1adee8932f 2342cc02a5ac26fd78603ac82e2d90e1b54ff71f c4a1eb629133a63dbfc7bdae189bfa73168c260c e6e4f57df5c0db2aa0d64ca7b5fb65a4395e3b5f Remediation Download and install the latest patches for browsers. https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs Page 3 of 4 Be vigilant while browsing the internet and do not open spam email. Beware of suspicious users and emails. Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaig ns-active-iocs https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs Page 4 of 4