S0618: FIVEHANDS
Analyst context for executives and security teams
FIVEHANDS is a Windows ransomware family described by ATT&CK as a customized C++ version of DEATHRANSOM, observed since at least 2021 and used in Ransomware-as-a-Service campaigns. Its mapped behaviors matter because they span execution, discovery of files and network shares, obfuscation/deobfuscation, encryption for impact, and inhibition of recovery—areas that directly determine whether an organization can contain an intrusion before business disruption.
Executive priority
Treat this object as a ransomware-readiness validation case. Leaders should ask whether Windows endpoint monitoring, WMI/script execution visibility, network share governance, backup resilience, and recovery controls are evidenced and tested—not just documented. The business decision value is in confirming that SOC and IR teams can see pre-impact discovery and recovery-inhibition behavior early enough to act, and that recovery options are protected from the same Windows environment being encrypted.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the ATT&CK relationships: WMI execution (T1047), command/script interpreter activity (T1059), file and directory discovery (T1083), network share discovery (T1135), encrypted or encoded files and deobfuscation behavior (T1027.013, T1140), data encryption for impact (T1486), and inhibition of system recovery (T1490). Because ATT&CK provides no official detection text for FIVEHANDS, detections should be behavior-led and environment-tuned rather than family-name dependent.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity, including local or remote execution context where collected
- File system enumeration and high-volume file modification or encryption indicators
- Network share access and discovery evidence, especially SMB share activity on Windows networks
- Signals of encoded/encrypted artifacts or runtime deobfuscation on hosts
Detection direction
- Correlate execution telemetry with discovery activity against local files, directories, and network shares; isolated discovery commands may be administrative, but discovery followed by broad file modification is higher-risk.
- Validate WMI monitoring quality, including command content, parent/child process context, user context, and remote execution visibility where available.
- Tune for ransomware impact patterns such as rapid file writes/renames/encryption across local and shared paths, while accounting for legitimate bulk administrative or backup operations.
- Monitor recovery-inhibition attempts as urgent signals because they affect incident recovery options, even before encryption is widespread.
- Do not rely only on static malware naming: ATT&CK notes obfuscation/encoding and deobfuscation behaviors, so behavioral detections are important when signatures are bypassed or artifacts change.
Mitigation priorities
- Prioritize tested, protected, and access-controlled backups and recovery procedures, since mapped behavior includes data encryption and inhibition of recovery.
- Restrict and monitor administrative execution paths such as WMI and command/script interpreters according to least privilege and operational need.
- Reduce unnecessary network share exposure and validate permissions on shared folders and drives to limit encryption blast radius.
- Ensure Windows endpoint logging and centralized retention are sufficient for IR reconstruction of execution, discovery, share access, and recovery-control changes.
- Run ransomware tabletop or technical validation exercises that prove SOC escalation, containment, backup restoration, and evidence preservation workflows.
Analyst notes and limits
This take is based on the supplied ATT&CK software object, its official description, external references, and listed technique relationships. The most useful defensive framing is not the malware name alone, but the mapped behavior chain: execute, discover local/shared data, evade simple inspection through encoding/decoding, encrypt data, and impair recovery.
ATT&CK does not provide official detection guidance, aliases, labels, or object-level tactics for FIVEHANDS in the supplied fields. Local validation is required to determine whether these behaviors are visible in the organization’s Windows telemetry and whether detections are reliable in the presence of legitimate administration and backup activity.
FIVEHANDS
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | FIVEHANDS can use WMI to delete files on a target machine.CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | FIVEHANDS can receive a command line argument to limit file encryption to specified directories.CitationFireEye FiveHands April 2021CitationNCC Group Fivehands June 2021 |
| Enterprise | T1135 | Network Share Discovery | FIVEHANDS can enumerate network shares and mounted drives on a network.CitationNCC Group Fivehands June 2021 |
| Enterprise | T1083 | File and Directory Discovery | FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.CitationCISA AR21-126A FIVEHANDS May 2021CitationNCC Group Fivehands June 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021CitationNCC Group Fivehands June 2021 |
| Enterprise | T1490 | Inhibit System Recovery | FIVEHANDS has the ability to delete volume shadow copies on compromised hosts.CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FIVEHANDS has the ability to decrypt its payload prior to execution.CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021CitationNCC Group Fivehands June 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The FIVEHANDS payload is encrypted with AES-128.CitationFireEye FiveHands April 2021CitationCISA AR21-126A FIVEHANDS May 2021CitationNCC Group Fivehands June 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 34de1fe8a108… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FiveHands April 2021
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Open source URL -
[2]
NCC Group Fivehands June 2021
Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
Open source URL -
[3]
mitre-attack S0618Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.