Introduction
FiveHands is a novel ransomware variant that uses a public key encryption scheme called NTRUEncrypt. The FiveHands payload is a 32-bit executable file that is used to encrypt files on the victim’s system to extort a ransom. When the ransomware is executed, it will enumerate files and folders on the system and encrypt files with the extensions, .txt, .chm, .dat, .ocx, .js, .tlb, .vbs, .sys, .lnk, .xml, .jpg, .log, .zip, .htm, .ini, .gif, .html, .css, and others. Key system files are not encrypted.
Solution
Pre-Execution:
FortiEDR prevents the FiveHands ransomware payload from being executed in prevention mode as soon as it is accessed. FortiEDR detects this variant as W32/ Filecoder by FortiEDR.
Post-Execution:
Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the ransomware to fully execute.
1. File Write
The FiveHands ransomware attempts to encrypt the Windows Boot Manager (bootmgr), which helps the start of the operating system. FortiEDR detects and blocks the file write operation.
2. WMI Service Access
The FiveHands ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to thwart the data recovery. It enumerates Volume Shadow copies with the command “ select * from Win32_ShadowCopy” and then deletes copies by ID (Win32_ShadowCopy.ID). The WMI service access operation is detected and blocked by FortiEDR.
3. File Write
After encrypting the user files, a ransomware note is dropped with the actor's contact information and instructions on how to contact them. FortiEDR detects new files being dropped and generates a block event.
Threat Hunting:
The ServeManager.exe (FiveHands Ransomware loader) is a 32-bit executable file that is executed using PsExec.exe, the Microsoft Sysinternals remote administration tool.
psexec.exe -d @comps.txt -s -relatime -c ServeManager.exe -key
The arguments are defined as follows:
-d Run psexec.exe without any prompts.
@ Remotely access this list of hostnames/IP addresses.
-s Run the program with system level privileges.
-relatime This is a typo. This should be -realtime, or run this process before any other process.
-c Copy the program to the remote system before executing.
When this program is run, it will load the ransomware module into memory, which will then be decoded using the supplied key. The ransomware payload is then examined to ensure that it contains a PE header before being executed.
FortiEDR’s (v5) Threat Hunting feature helps to hunt the ransomware loader with the below query and it can also be scheduled to run automatically to notify events that matches the query.
FortiEDR effectively detects and defuses this threat in real time. These steps prevent data exfiltration, command and control (C&C) communications, file tampering, and ransomware encryption.
IOC:
39ea2394a6e6c39c5d7722dc996daf05
f568229e696c0e82abb35ec73d162d5e
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.
