Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators.
Initially observed in December 2020, the self-named Hades ransomware (a different malware family from the Hades Locker ransomware that emerged in 2016) employs a double-extortion tactic, exfiltrating victim data and threatening to leak it publicly unless the ransom is paid.
The adversary appears mainly focused on enterprises, with some of the victims being multi-national organizations with more than $1 billion in annual revenues. The attacks mainly affected Canada, Germany, Luxembourg, Mexico, and the United States.
The Hades ransomware operators targeted a few industries only, including transportation and logistics, consumer products, and manufacturing and distribution — a logistics provider and organizations in the automotive supply chain and manufacturing of insulation products are known victims. At least three of the victims are U.S. companies with more than $1 billion in annual revenue, Accenture notes.
In the ransom note dropped onto the compromised machines, each victim is directed to a unique Tor website — six such sites were identified to date, suggesting that Hades has made at least six victims. On that website, the victim is instructed to contact the attackers using the Tox peer-to-peer instant messenger.
The ransomware operators demand payments in the range of $5 to $10 million from their victims. Interestingly enough, despite a relatively low number of victims and the large payment demands, the adversaries appear slow to respond to requests for ransom payment instructions.
In addition to encrypting files on the victim’s machines, the Hades ransomware operators also exfiltrate data deemed to be of interest, and extort the victim into paying the ransom by threatening to make the stolen data public.
However, in the few instances where the attackers followed through with their threat, the leak had a small impact on the victim, despite far more valuable data being exfiltrated during the attack.
“The question that therefore arises, what was the objective of stealing the crown jewels but disclosing less significant bits of information? Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?” Awake notes.
A typical Hades ransomware attack involves the use of legitimate credentials for connecting to Internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN), followed by the deployment of Cobalt Strike and Empire implants for persistence.
The attackers also leverage various scripts to perform reconnaissance, harvest credentials to elevate privileges when necessary, and identify and compromise additional systems in the network.
In some cases, the adversary would compile the ransomware binary at the same time as data was being exfiltrated out of the victim’s environment. The attackers are believed to have been employing a “hands on keyboard” approach in their attacks.
What is yet unclear, however, is who exactly might be operating Hades. While Accenture hasn’t made an attribution yet, Awake has drawn some connections with other threat actors out there, including Hafnium, the Chinese hacking group involved in the recently disclosed Exchange Server hacks.
CrowdStrike, on the other hand, believes that Hades is the work of the infamous Evil Corp gang, the Russian threat actor known for the use of Dridex Trojan, Locky ransomware, and multiple other malware families. Hades, the security firm says, shows multiple code similarities with WastedLocker, a piece of ransomware attributed to Evil Corp last year.
“Hades is merely a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes. […] Hades ransomware shares the majority of its functionality with WastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration and encryption functionality are largely unchanged,” CrowdStrike notes.
Additionally, the security firm says that Hades also marks changes in the TTPs employed by Evil Corp (also known as TA505, and INDRIK SPIDER), which might be a reaction to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announcing sanctions against the gang and the Department of Justice (DOJ) indicting two members of the group.
“The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known tooling to aid them in bypassing the sanctions imposed upon them. The sanctions and indictments have undoubtedly significantly impacted the group and have made it difficult for INDRIK SPIDER to successfully monetize their criminal endeavors,” CrowdStrike concludes.
Related: Inside the Ransomware Economy