FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[1][2]

ID: S0618
Platforms: Windows
Version: 1.1
Created: 04 June 2021
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

FIVEHANDS can receive a command line argument to limit file encryption to specified directories.[1][2]

Enterprise T1486 Data Encrypted for Impact

FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.[1][3][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

FIVEHANDS has the ability to decrypt its payload prior to execution.[1][3][2]

Enterprise T1083 File and Directory Discovery

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.[3][2]

Enterprise T1490 Inhibit System Recovery

FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.[1][3]

Enterprise T1135 Network Share Discovery

FIVEHANDS can enumerate network shares and mounted drives on a network.[2]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

The FIVEHANDS payload is encrypted with AES-128.[1][3][2]

Enterprise T1047 Windows Management Instrumentation

FIVEHANDS can use WMI to delete files on a target machine.[1][3]