{
	"id": "a0d2e072-1097-4356-afa6-4703b8ab61fe",
	"created_at": "2026-04-06T00:15:12.978695Z",
	"updated_at": "2026-04-10T03:34:59.95213Z",
	"deleted_at": null,
	"sha1_hash": "4e395faf8f096bc406d112d207086d65aef73412",
	"title": "FiveHands Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153321,
	"plain_text": "FiveHands Ransomware | CISA\r\nPublished: 2021-05-06 · Archived: 2026-04-05 17:23:13 UTC\r\nInitial Access\r\nThe initial access vector was a zero-day vulnerability in a virtual private network (VPN) product (Exploit Public-Facing Application [T1190 ]).\r\nPublicly Available Tool: SoftPerfect Network Scanner\r\nThe cyber actor used SoftPerfect Network Scanner for Discovery [TA0007 ] of hostnames and network services\r\n(Network Service Scanning [T1046 ]).\r\nDetails on the SoftPerfect Network Scanner artifacts are below.\r\nnetscan.exe\r\nThe netscan.exe artifact is a stand-alone version of the SoftPerfect Network Scanner, version 7.2.9 for 64-bit\r\noperating systems. The SoftPerfect website states that the \"SoftPerfect Network Scanner can ping computers, scan\r\nports, discover shared folders, and retrieve practically any information about network devices, via Windows\r\nManagement Instrumentation (WMI), Simple Network Management Protocol (SNMP), Hypertext Transfer\r\nProtocol (HTTP), Secure Shell (SSH), and PowerShell. It also scans for remote services, registry, files and\r\nperformance counters; offers flexible filtering and display options and exports NetScan results to a variety of\r\nformats from XML to JSON.\"\r\nThe utility can also be used with Nmap for vulnerability scanning. The utility will generate a report of its findings\r\ncalled netscan.xml .\r\nnetscan.xml\r\nThe netscan.xml artifact is an Extensible Markup Language (XML) document reporting scanning results for the\r\nSoftPerfect Network Scanner program. The XML document indicates that a random scan was conducted to\r\nidentify hostnames on a network and to search for:\r\nweb servers, \r\nfile servers, \r\ndatabase servers, and\r\nany open Remote Desktop Protocol (RDP) ports for several subnets of unrouteable Internet Protocol (IP)\r\naddresses.\r\nnetscan.lic\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 1 of 7\n\nA license is required to unlock all of the features of the SoftPerfect Network Scanner. The netscan.lic artifact\r\nis the Network Scanner license that was included with this submission. The license name is DeltaFoX .\r\nFiveHands Ransomware\r\nThe malicious cyber actor used PsExec to execute ServeManager.exe , which CISA refers to as FiveHands\r\nransomware (Execution [TA0002 ], System Services: Service Execution [T1569.002 ], Impact [TA0040 ]).\r\nFiveHands is a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt . Note:\r\nthe NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector\r\nproblem in a lattice.\r\nTo prevent data recovery, FiveHands uses WMI to first enumerate then delete Volume Shadow copies (Inhibit\r\nSystem Recovery [T1490 ]; Windows Management Instrumentation [T1047 ]). The malware also encrypts files\r\nin the recovery folder (Data Encrypted for Impact [T1486 ]). After the files are encrypted, the program will\r\nwrite a ransom note to each folder and directory on the system.\r\nDetails on the ransomware artifacts are below.\r\nPsExec.exe\r\nThe PsExec.exe artifact is the legitimate remote administration program. This tool is part of Microsoft's\r\nSysinternals tool suite. This utility was used to execute the program ServeManager.exe with the following\r\narguments:\r\npsexec.exe -d @comps.txt -s -relatime -c ServeManager.exe -key  \r\nThe arguments are defined as follows:\r\n          -d --\u003e Run psexec.exe without any prompts.\r\n          @ --\u003e Remotely access this list of hostnames/IP addresses.\r\n          -s --\u003e Run the program with system level privileges.\r\n          -relatime --\u003e This is a typo. This should be -realtime, or run this process before any other process.\r\n          -c --\u003e Copy the program to the remote system before executing.\r\nServeManager.exe\r\nThe ServeManager.exe artifact is a 32-bit executable file that is executed using the Microsoft Sysinternals\r\nremote administration tool, PsExec.exe . When the program is executed it will attempt to load into memory a\r\nlarge embedded module that is decoded with a supplied key. The module is decoded in memory and checked to\r\nverify that it has a portable executable (PE) header. If the header is verified, the payload is executed.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 2 of 7\n\nThe payload is a 32-bit executable file that is used to encrypt files on the victim’s system to extort a ransom. When\r\nthe ransomware is executed, it will enumerate files and folders on the system and encrypt files with the\r\nextensions, .txt , .chm , .dat , .ocx , .js , .tlb , .vbs , .sys , .lnk , .xml , .jpg , .log , .zip ,\r\n.htm , .ini , .gif , .html , .css , and others (File and Directory Discovery [T1083 ]). Key system files\r\nare not encrypted.\r\nTo thwart the recovery of the data, the ransomware uses Windows Management Instrumentation (WMI) to\r\nenumerate Volume Shadow copies using the command select * from Win32_ShadowCopy and then deletes\r\ncopies by ID ( Win32_ShadowCopy.ID ). The malware will also encrypt files in the recovery folder at\r\nC:\\Recovery . After the files are encrypted the program will write a ransom note to each folder and directory on\r\nthe system called read_me_unlock.txt .\r\nFigure 1 displays the ransom note (redacted for privacy).\r\nFigure 1: Ransom note\r\nRemote Access Trojan: SombRAT \r\nThe threat actors used batch and text files to execute and invoke PowerShell scripts that decoded a SombRAT\r\nloader and enabled PowerShell to bypass the organization’s anti-malware program (Command and Scripting\r\nInterpreter: Windows Command Shell [T1059.003 ], Command and Scripting Interpreter: PowerShell\r\n[T1059.001 ], Defense Evasion [TA0005 ]). SombRAT is a custom remote access Trojan (RAT) used to\r\ndownload and execute malicious payloads.[1 ] \r\nThe SombRAT loader recovered in this incident was a 64-bit variant that allowed the malicious actor to remotely\r\ndownload and load executable dynamic-link libraries (DLL) plugins on the affected system (Ingress Tool Transfer\r\n[T1105 ]). The loader used hardcoded public RSA keys for command and control (C2) sessions (Command and\r\nControl [TA0011 ]). The C2 communications were encrypted using Advanced Encryption Standard (AES),\r\nresulting in a Secure Sockets Layer tunnel with the threat actors (Encrypted Channel: Asymmetric Cryptography\r\n[T1573.002 ]).\r\nDetails on the SombRAT artifacts are below.\r\nWwanSvc.bat\r\nThe WwanSvc.bat artifact is a batch file. When executed, it will invoke PowerShell, which decodes and executes\r\na base64-encoded PowerShell script called WwanSvc.txt in the path C:\\ProgramData\\Microsoft\\WwanSvc\\\r\n(Deobfuscate/Decode Files or Information [T1140 ], Obfuscated Files or Information [T1027 ]).\r\nWwanSvc.txt\r\nThe WwanSvc.txt artifact is a base64-encoded PowerShell script that is decoded and executed by WwanSvc.bat .\r\nThe script allows PowerShell to run without system restrictions while bypassing the Microsoft anti-malware\r\nprogram. Next, the script decodes the file WwanSvc.c using a bitwise Exclusive OR (XOR) with a 256-byte key\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 3 of 7\n\nthat is found in WwanSvc.a . Both WwanSvc.a and WwanSvc.c are located in C:\\ProgramData\\Microsoft\\ . The\r\nnewly decoded script is then executed using the InvokeExpression command.\r\nWwanSvc.a\r\nThe WwanSvc.a artifact contains a 256-byte key that is used by the base64-encoded script in WwanSvc.txt to\r\ndecode a new PowerShell script in WwanSvc.c . The key is also used to decode the reflectively loaded payload in\r\nWwanSvc.b .\r\nWwanSvc.c\r\nThe WwanSvc.c artifact is an XOR-encoded PowerSploit reflective loader program.[2 ] The program is decoded\r\nusing the 256-byte key found in WwanSvc.a . The script will decode the content of WwanSvc.b and then check to\r\nconfirm that it has a valid PE header. The script will also check the system environment for a 64-bit architecture\r\n(System Information Discovery [T1082 ]). The executable is not written to disk but loaded directly into memory.\r\nWwanSvc.b\r\nThe WwanSvc.b artifact, when decoded, is a 64-bit variant of the SombRAT loader. The primary purpose of the\r\nloader is to allow a remote operator to securely download and load executable plugins on a target system. Given\r\nthis plugin structure, the author can easily mold the RAT to provide additional functionalities and capabilities. The\r\napplication contains the following two hardcoded public RSA keys, which it will utilize to secure its C2 sessions\r\nwith the remote operator. Static analysis indicates that the C2 communications will also be encrypted using AES\r\nresulting in a secure Secure Sockets Layer (SSL) tunnel with the remote operator.\r\nThe configuration file 59fb3174bb34e803 , located in C:\\ProgramData , contains the data the malware requires at\r\nruntime, including the operator-controlled remote C2 address. The malware decrypts this configuration file with\r\nthe hardcoded AES key ujnchdyfngtreaycnbjgi837157fncae . See figure 2.\r\nFigure 2: Hardcoded AES key\r\nThe malware contains numerous encoded strings, including the AES key used to decrypt the malware\r\nconfiguration file. The malware decrypts these strings by first XORing them with the first byte. The malware then\r\ndecrypts the rest of the string by XORing it with the single byte XOR key 0xDE . \r\nThis string can be decrypted by XORing the entire string with the value 0x78 and then XORing the result with\r\n0xDE .\r\nThe RAT provides most of its C2 capabilities to the remote operator by allowing the remote operator to securely\r\ntransfer executable DLL plugins to the target system—via a protected SSL session—and load these plugins at will\r\nvia the embedded plugin framework. The native malware itself does not provide much actual functionality to the\r\noperator without the code provided by the plugins. Some of the native functionality that the malware provides\r\nwithout the use of a plugin includes collecting system data—such as computer name, username, current process,\r\noperating system (OS) version, local system time, and the current process that the malware is masquerading as\r\n(System Owner/User Discovery [T1033 ], Process Discovery [T1057 ], System Time Discovery [T1124 ],\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 4 of 7\n\nMasquerading [T1036 ]). The program also contains native C2 capabilities allowing it to communicate with the\r\nremote operator using an embedded SOCKS proxy or via domain name system (DNS) tunneling (Proxy [T1090\r\n]).\r\nThe malware does contain hardcoded commands that it uses to evaluate against operator-provided data. These\r\ncommands are encoded within the binary, and they are not encoded before being compared against operator-provided data—indicating the malware expects the remote operator to encode the commands before passing them\r\nto the RAT. \r\nThe malware contains an encoded note, presumably designed for malware analysts who analyze the code. See\r\nfigure 3.\r\nFigure 3: Encoded note\r\n59fb3174bb34e803\r\nThe 59fb3174bb34e803 artifact is an encrypted configuration file that is read by the WwanSvc program. The\r\nconfiguration file contains the hardcoded domain, feticost[.]com . The program attempts DNS queries for this\r\ndomain prepending a third level domain that consists of seven to nine random hexadecimal characters (e.g.,\r\nbb95058f1[.]feticost.com ).\r\nThe file feticost[.]com resolved to the IP address 51.89.50[.]152 at the time of analysis.\r\nPublicly Available Tool: RouterScan.exe\r\nThe RouterScan.exe artifact is Router Scan v2.60 by Stas'M. This utility is used to identify network routers and\r\nproxy servers on a network (Discovery [TA0007 ]). The latest release of this program (v2.60) contains a list of\r\ncommon admin names and passwords that can be used for a dictionary attack to gain access to a network router\r\n(Credential Access [TA0006 ], Brute Force: Password Guessing [T1110.001 ]). The program also contains\r\ncode to identify common vulnerabilities and leverage exploits against many popular routers (Active Scanning:\r\nVulnerability Scanning [T1595.002 ]). The program can be customized to scan any subnet and any particular\r\nport, or protocol (Network Service Scanning [T1046 ]). The latest version also contains software to scan for\r\nwireless network access points (System Network Connections Discovery [T1049 ]). \r\nTo execute this program, two libraries are required: librouter.dll and libeay32.dll . Upon execution, the\r\nprogram will generate several telemetry files that are dropped in the current directory. These files are named\r\nRouterScan.log , Config.ini , filter.txt , exclusions.txt , ports.txt , and ranges.txt .\r\nOpen-Source Tool: grabff.exe\r\nThe grabff.exe artifact is a 32-bit .NET executable called grabff and is used for Credential Access [TA0006 ].\r\nThe program uses a command line interface to extract Firefox stored passwords and authentication information\r\nfrom the user’s profile located at C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles (Command and\r\nScripting Interpreter: Windows Command Shell [T1059.003 ], Credentials from Password Stores: Credentials\r\nfrom Web Browsers [T1555.003 ]). The program will extract the password databases found in key3.db ,\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 5 of 7\n\nkey4.db , and logins.json as well as the SQLite-based certificate database, cert9.db . The data can be\r\ncopied to any designated directory.\r\nOpen-Source Tool: rclone.exe\r\nThe rclone.exe artifact is an open-source cloud content management program called Rclone. The program uses\r\na command line interface to manage files in cloud storage. The program is capable of uploading and downloading\r\nfiles, verifying file integrity, and providing file encryption. The program can use any of the following protocols:\r\nSSH File Transfer Protocol (SFTP), Web Distributed Authoring and Versioning (WebDAV), File Transfer Protocol\r\n(FTP), and Digital Living Network Alliance (DLNA).\r\ns3browser-9-5-3.exe\r\nThe s3browser-9-5-3.exe artifact is the free version of the S3 Browser program used to upload and download\r\ndata from a cloud account. The program can fully configure a cloud account, modify HTTP headers and object\r\ntags, enable multiple simultaneous uploads and downloads, and provide server-side encryption (Create Account:\r\nCloud Account [T1136.003 ]). By default, the installed components of the program are stored in the path\r\nC:\\Program Files\\S3 Browser . Activity logs are created on a daily basis and are stored in the path C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\S3Browser\\logs in the format s3browser-win32-YYYY-MM-DD-log.txt .\r\nSummary\r\nThis Analysis Report uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, Version 9. See the ATT\u0026CK for Enterprise framework for all referenced threat actor tactics and\r\ntechniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent successful cyberattack against\r\nan organization using a new ransomware variant, which CISA refers to as FiveHands. Threat actors used publicly\r\navailable penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan\r\n(RAT), to steal information, obfuscate files, and demand a ransom from the victim organization. Additionally, the\r\nthreat actors used publicly available tools for network discovery and credential access.\r\nThis report provides the tactics, techniques, and procedures the threat actors used in this attack as well as\r\nindicators of compromise (IOCs). It also includes CISA’s recommended mitigations to protect networks from\r\nransomware attacks and to detect—and respond to—these attacks.\r\nRefer to Malware Analysis Report AR21-126B for full technical details and associated IOCs.\r\nFor a PDF copy of this report, click here.\r\nNote: the analysis of FiveHands ransomware is ongoing; CISA will update this report as new information\r\nbecomes available.\r\nSolution\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 6 of 7\n\nShould your organization be a victim of ransomware, CISA strongly recommends responding by using the\r\nRansomware Response Checklist located in the Joint Ransomware Guide, co-authored by CISA and the Multi-State Information Sharing and Analysis Center. The guide contains steps for detection and analysis as well as\r\ncontainment and eradication.\r\nCISA recommends organizations implement the following practices to strengthen the security posture of their\r\nsystems. \r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up to date.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators group unless required.\r\nImplement multi-factor authentication (MFA), particularly on all VPN connections, external-facing\r\nservices, and privileged accounts. Where MFA is not implemented, enforce a strong password policy and\r\nimplement regular password changes.\r\nDecommission unused VPN servers, which may act as a point of entry for attackers. \r\nMonitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g.,\r\nSSH, SMB, RDP).\r\nExercise caution when opening email attachments even if the attachment is expected and the sender\r\nappears to be known.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for—and remove—suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\"\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate access control lists (ACLs).\r\nReferences\r\n[1] BlackBerry ThreatVector Blog, The CostaRicto Campaign: Cyber-Espionage Outsourced\r\n[2] MITRE ATT\u0026CK – PowerSploit\r\nRevisions\r\nMay 6, 2021: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\r\nPage 7 of 7\n\nwithout the operating system use of a plugin (OS) version, includes collecting local system system data—such time, and the current as computer process that name, username, the malware current is masquerading process, as\n(System Owner/User Discovery [T1033 ], Process Discovery [T1057 ], System Time Discovery [T1124 ],\n   Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
	],
	"report_names": [
		"ar21-126a"
	],
	"threat_actors": [
		{
			"id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79",
			"created_at": "2022-10-25T15:50:23.667393Z",
			"updated_at": "2026-04-10T02:00:05.344613Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [
				"CostaRicto"
			],
			"source_name": "MITRE:CostaRicto",
			"tools": [
				"PowerSploit",
				"SombRAT",
				"PsExec",
				"PS1",
				"CostaBricks"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b77f9b40-dca7-449d-819e-115cd2295b41",
			"created_at": "2022-10-25T16:07:23.502671Z",
			"updated_at": "2026-04-10T02:00:04.63173Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [],
			"source_name": "ETDA:CostaRicto",
			"tools": [
				"CostaBricks",
				"PowerSploit",
				"PsExec",
				"SombRAT",
				"nmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "115cf618-02a8-42b8-8d25-305292eafedb",
			"created_at": "2023-11-21T02:00:07.396534Z",
			"updated_at": "2026-04-10T02:00:03.478259Z",
			"deleted_at": null,
			"main_name": "CostaRicto",
			"aliases": [],
			"source_name": "MISPGALAXY:CostaRicto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e395faf8f096bc406d112d207086d65aef73412.pdf",
		"text": "https://archive.orkl.eu/4e395faf8f096bc406d112d207086d65aef73412.txt",
		"img": "https://archive.orkl.eu/4e395faf8f096bc406d112d207086d65aef73412.jpg"
	}
}