fivehands

ransomware group

FiveHands is a ransomware family first observed in January 2021, believed to be a successor to the HelloKitty ransomware variant. It operates under a Ransomware-as-a-Service (RaaS) model and uses the double-extortion tactic, encrypting files while threatening to leak stolen data via a Tor-based site. FiveHands is written in C# and leverages the NTRUEncrypt algorithm for file encryption alongside Curve25519 for key exchange. The ransomware is commonly deployed via Malwarebytes SombRAT or Cobalt Strike beacons after initial compromise, often gained through exploitation of vulnerable VPNs, phishing, or compromised credentials. FiveHands has targeted organizations in healthcare, finance, and manufacturing across North America, Europe, and Asia.