Hacking group exploited SonicWall zero-day for ransomware attacks, FireEye says

The malware in questions bear similarities to another hacking tool named after the popular cartoon.
The Hello Kitty balloon is seen at the 91st Annual Macy's Thanksgiving Day Parade on November 23, 2017 in New York City. The ransomware FireEye discovered bears a resemblance to the HelloKitty strain. (Photo by Noam Galai/WireImage)

A hacking group exploited a SonicWall zero-day software flaw before a fix was available in order to deploy a previously unreported ransomware strain, FireEye researchers said Thursday.

The disclosure of the ransomware comes one week after FireEye revealed three previously unknown vulnerabilities in SonicWall’s email security software. But the latest hacking tool emerges from an earlier zero-day  found in SonicWall’s mobile networking gear.

Mandiant, FireEye’s incident response unit, dubbed the malware FiveHands, which bears similarities to another hacking tool, dubbed HelloKitty, that attackers deployed against a video game company. The security firm linked it to a group they call UNC2447.

“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” reads a blog post from the company. “UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.”


Both FireEye and SonicWall know that being a security company doesn’t guarantee one’s own security. The zero-days FireEye publicized last week were in a SonicWall product explicitly meant to protect against unknown software vulnerabilities, and ransomware, for instance. Also, FireEye was discovered the vulnerability in software from the federal contractor SolarWinds while probing its systems after detecting that FireEye itself was a victim of the same flaw.

Besides the newly-disclosed ransomware, UNC2447 also employs a large number of other tools, demonstrating its growth since it entered public view in November, said Mandiant’s Tyler McLellan.

“UNC2447 does display an unusual sophistication in the wide array of non-public tools,” McLellan, principal threat analyst with advanced practices at Mandiant, wrote in an email. “As ransomware groups are successful, they can use the funds they receive towards purchasing custom tools and even zero-days. This is also part of a broader evolution from pure ransomware to a hybrid use of extortion.”

Among the tools the group used is SombRAT, a custom backdoor that the hack-for-hire group known as CostaRicto reportedly developed. FireEye saw the same group employ both SombRAT and FiveHands in January, although the company said not all SombRAT and FiveHands intrusions may be the work of UNC2447.

FireEye uses the “UNC” label, short for uncategorized threats, for activity it can’t attribute to well-known, firmly-established hacking groups. UNC2447’s FiveHands ransomware does share some similarities with more familiar varieties, however.


FiveHands bears a resemblance to HelloKitty, used in the attack on video game company CD Projekt Red, FireEye said.

“At this time, we do not have information regarding self-identification by UNC2447,” wrote Justin Moore, threat analyst with advanced practices, in an email. “Based on the technical similarities between HELLOKITTY and FIVEHANDS, and the HELLOKITTY icon on the FIVEHANDS chat page, we suspect they use the HELLOKITTY name.”

Still, the company cautioned in its blog post: “While similarities between HELLOKITTY and FIVEHANDS are notable, ransomware may be used by different groups through underground affiliate programs.”

Latest Podcasts