The group recognized as UNC2447 is found exploiting the SonicWall VPN zero-day vulnerability since a patch has not rolled out for the exploit yet. The malware being deployed was previously prevalent with the name “SOMBRAT.” SOMBRAT is being used for ransomware – which was not previously reported.
FIVEHANDS ransomware is first used by the group and later on the victims are extorted through media attention and data sale threats. The group targets organizations in Europe and North America. They have also displayed advanced capabilities of evading detection and minimize post-intrusion forensics.
UNC2447 was previously found using RAGNARLOCKER ransomware. HELLOKITTY and FIVEHANDS were used by the system and HELLOKITTY was being used from May 2020 to December 2020, and FIVEHANDS is being actively used since then.