KEY POINTS

  • Hackers leveraged on Sonicwall’s zero-day bug
  • Threat actors exploited the vulnerabilities and deployed ransomware
  • The group targets large entities in Europe and North America

Sonicwall SMA 100 Series VPN is reportedly under ransomware attack through a zero-day bug. The most recent attack depicts the DEATHRANSOM, a type of ransomware that infected and encrypted its victims’ data back in 2019.

On April 29, FireEye-managed Mandiant published a report warning entities across the globe about ransomware that attacked the Sonicwall. UNC2447, the threat actor, exploited the zero-day vulnerability in Sonicwall SMA 100 Series VPN appliances. UNC2447 is an aggressive financially motivated group that extorts its victims.

The report said that the attack currently targets entities and large companies. The threat actors were spotted targeting large organizations in Europe and North America in January.

Mandiant added that UNC2447 repeatedly managed to escape detection. The group also successfully minimizes any attempt to conduct an investigation against them after they have intruded a system.

According to the report, UNC2447 took advantage of the zero-day vulnerability on Sonicwall VPN and used it to deploy sophisticated malware, Bleeping Computer reported.

The group operates and earns money from its victims in three steps.

First, they will intrude and encrypt the victims’ data by deploying the ransomware and gain access to login credentials such as user name and password as well the session information.

They will later threaten the victims of media attention in exchange for a certain amount of money. Finally, they will sell the victim's information through hacker forums online.

UNC2447 managed to leverage the zero-day vulnerability and deploy sophisticated malware successfully even before the patch was released in February.

The group reportedly combined the SombRAT backdoor variant, a malware coordinated by a group of mercenary hackers with FIVEHANDS ransomware, a variant of the DEATHRANSOM.

FIVEHANDS ransomware attack, which was first spotted on Oct. 2020, is similar to its predecessor, the HelloKitty ransomware, according to SC Media.

However, FIVEHANDS possesses certain improvements compared to HelloKitty ransomware. It uses a memory-only dropper on its attacks. It also applies encryption to a wider variety of files.

HelloKitty ransomware was responsible for steeling the Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3 source codes. Attackers used the said malware to encrypt the systems of the video games.

Most of the fraud and ransomware schemes being circulated are linked to the COVID-19 pandemic, security analysts say
Most of the fraud and ransomware schemes being circulated are linked to the COVID-19 pandemic, security analysts say AFP / FRED TANNEAU
Ransomware is one potential way for Iran to retaliate against the United States for the killing of a top Iranian leader, according to security analysts
Ransomware is one potential way for Iran to retaliate against the United States for the killing of a top Iranian leader, according to security analysts AFP / DAMIEN MEYER