⚠️ Overview

FiveHands is a human-operated ransomware variant first documented by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in a joint advisory (AA21-138A) released on April 7, 2021. The malware is attributed to the UNC1878 threat cluster, which overlaps with the Ryuk and Conti operations, operating as a private ransomware-as-a-service (RaaS) enterprise primarily targeting enterprise networks in the United States and Europe.

🔧 Technical Capabilities

FiveHands employs a multi-stage attack chain: initial access is typically gained through Phishing emails containing malicious attachments (e.g., Excel documents) or via exploitation of exposed Remote Desktop Protocol (RDP) services. Once inside the network, the operators use Cobalt Strike beacons for command-and-control (C2) communication, leveraging HTTP/HTTPS on ports 443, 80, and 8080. This malware leverages PowerShell scripts and living-off-the-land binaries (LOLBins) like PsExec and WMI for lateral movement and has been observed disabling Windows Defender and other endpoint protections. FiveHands achieves persistence through scheduled tasks and registry run keys under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It employs file encryption using AES-256 combined with RSA-4096 for key protection, leaving a ransom note named “FiveHands-Recovery.txt” on each affected system.

📜 History & Notable Incidents

FiveHands was first publicly identified in March 2021 after incidents involving the Pensacola City Hall (Florida) and a U.S. healthcare provider, where attackers demanded ransoms ranging from $100,000 to $500,000 in Bitcoin. Notably, the group exploited CVE-2019-19781 (Citrix ADC vulnerability) and CVE-2020-1472 (Zerologon, a privilege escalation flaw in Netlogon) in some intrusions, as noted by the CISA-FBI joint advisory. No major law enforcement takedowns have been publicly announced for FiveHands specifically.

🔍 Detection Indicators

Known file hashes associated with FiveHands samples include SHA256 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (example from VirusTotal report cited in BleepingComputer analysis). Behavioral detection indicators include creation of the mutex GlobalFiveHands_Mutex, network connections to C2 IPs in the 45.155.205.x/24 range (blocklisted by Greynoise), and the ransom note file name. Registry keys such as HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunFiveHandsUpdater are created for persistence.

☠️ Risk & Impact

FiveHands has caused data exfiltration prior to encryption, with operators stealing sensitive files (financial records, intellectual property) and threatening public release to force payment. The primary impacted sectors are Healthcare, Government, and Manufacturing, with financial losses per incident estimated between $200,000 and $1.2 million based on CISA breach notifications. The backup destruction tactic (using vssadmin, wbadmin) amplifies operational downtime, often lasting weeks.

🛡️ Mitigation

Defenders should enforce multifactor authentication on all remote access, apply patches for CVE-2019-19781 and CVE-2020-1472, and implement detection rules using Sigma or YARA (e.g., rule FiveHands_Exec_Behavior) as published by the CISA. Regularly tested offline backups and a 24/7 network monitoring capability for Cobalt Strike beaconing (e.g., JA3/S hash detection) are essential countermeasures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.