Share Researchers observed a new ransomware variant, called FiveHands, being deployed by an “aggressive” financially motivated threat group in January and February. According to a FireEye Mandiant report, the UNC2447 group exploited a critical SonicWall vulnerability (CVE-2021-20016) prior to a patch being available. The group leveraged this exploit as a foothold in order to deploy the previously-discovered SombRAT malware, as well as FiveHands. “UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” said researchers with FireEye Mandiant. UNC2447 (“UNC” being FireEye’s designation for unclassified threat groups) was first discovered by researchers in November, when they observed the group using a PowerShell dropper in an attempt to install malware at two unnamed companies. In January, the UNC2447 group was then observed exploiting the SonicWall flaw, a critical SQL injection vulnerability in Secure Mobile Access (SMA) 100 Series VPN appliances, which allows unauthenticated attackers to achieve remote code execution. Before SonicWall patched the flaw in February, it revealed that it had "identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."