ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > UNC2447

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: UNC2447

NamesUNC2447 (FireEye)
Country[Unknown]
MotivationFinancial gain
First seen2020
Description(FireEye) Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly.

UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.
ObservedCountries: Europe and North America.
Tools used7-Zip, AdFind, BloodHound, Cobalt Strike, DeathRansom, FIVEHANDS, FOXGRABBER, HELLOKITTY, Mimikatz, PCHUNTER, RagnarLocker, RCLONE, ROUTERSCAN, S3BROWSER, SombRAT, WARPRISM, ZAP.
Information<https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html>

Last change to this card: 15 May 2021

Download this actor card in PDF or JSON format

Previous: UltraRank
Next: UNC2452, Dark Halo, SolarStorm

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key