Security News > 2021 > April > SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched
A zero-day vulnerability addressed by SonicWall in its Secure Mobile Access appliances earlier this year was exploited by a sophisticated and aggressive cybercrime group before the vendor released a patch, FireEye's Mandiant unit reported on Thursday.
Over the past half a year, a new cybercrime group has been observed using a broad range of malware and employing aggressive tactics to pressure ransomware victims into making payments.
Since November 2020, FireEye reports, the cyber-group has been using malware families and ransomware such as Sombrat, FiveHands, the Warprism PowerShell dropper, the Cobalt Strike beacon, and FoxGrabber, but its activity also shows HelloKitty and RagnarLocker ransomware affiliation.
Shortly after SonicWall disclosed the breach, some anonymous individuals sent emails to SecurityWeek claiming the company was hit by ransomware and that the attackers had stolen source code and customer data, but none of those claims have been confirmed to date.
Written in C++, the FiveHands ransomware appears to be a rewritten variant of DeathRansom, due to numerous similarities, but also shows various similarities with the HelloKitty ransomware, including the fact that all three use the same code to delete volume shadow copies.
"Mandiant observed Sombrat and FiveHands ransomware by the same group since January 2021. While similarities between HelloKitty and FiveHands are notable, ransomware may be used by different groups through underground affiliate programs," FireEye concludes.