Researchers have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators. Initially observed in December 2020, the self-named Hades ransomware (a different malware family from the Hades Locker ransomware that emerged in 2016) employs a double-extortion tactic, exfiltrating victim data and threatening to leak it publicly unless the ransom is paid. Hades was named for a Tor hidden website that victims are instructed to visit; however, Hades is merely a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes. The ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration and encryption functionality are largely unchanged.
The adversary appears mainly focused on enterprises, with some of the victims being multi-national organizations with more than $1 billion in annual revenues. The attacks mainly affected Canada, Germany, Luxembourg, Mexico, and the United States.
The Hades ransomware operators targeted a few industries only, including transportation and logistics, consumer products, and manufacturing and distribution logistics provider and organizations in the automotive supply chain and manufacturing of insulation products are known victims. At least three of the victims are U.S. companies with more than $1 billion in annual revenue.
In the ransom note dropped onto the compromised machines, each victim is directed to a unique Tor website six such sites were identified to date, suggesting that Hades has made at least six victims. On that website, the victim is instructed to contact the attackers using the Tox peer-to-peer instant messenger.
The ransomware operators demand payments in the range of US$5 to US$10 million from their victims. Interestingly enough, despite a relatively low number of victims and the large payment demands, the adversaries appear slow to respond to requests for ransom payment instructions.
In addition to encrypting files on the victim’s machines, the Hades ransomware operators also exfiltrate data deemed to be of interest, and extort the victim into paying the ransom by threatening to make the stolen data public. In the few instances where the attackers followed through with their threat, the leak had a small impact on the victim, despite far more valuable data being exfiltrated during the attack.
“The question that therefore arises, what was the objective of stealing the crown jewels but disclosing less significant bits of information? Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?” noted one of the research firms, Awake Security.
A typical Hades ransomware attack involves the use of legitimate credentials for connecting to Internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN), followed by the deployment of Cobalt Strike and Empire implants for persistence. The attackers also leverage various scripts to perform reconnaissance, harvest credentials to elevate privileges when necessary, and identify and compromise additional systems in the network.
In some cases, the adversary would compile the ransomware binary at the same time as data was being exfiltrated out of the victim’s environment. The attackers are believed to have been employing a “hands on keyboard” approach in their attacks.
What is unclear, is who exactly might be operating Hades. While investigators have not made an attribution, Awake has drawn some connections with other threat actors out there, including Hafnium, the Chinese hacking group involved in the recently disclosed Exchange Server hacks.
CrowdStrike, believes that Hades is the work of the infamous Evil Corp gang, the Russian threat actor known for the use of Dridex Trojan, Locky ransomware, and multiple other malware families. Hades, the security firm says, shows multiple code similarities with WastedLocker, a piece of ransomware attributed to Evil Corp last year.
Additionally, the security firm says that Hades also marks changes in the TTPs employed by Evil Corp (also known as TA505, and INDRIK SPIDER), which might be a reaction to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announcing sanctions against the gang and the Department of Justice (DOJ) indicting two members of the group.
The continued development of WastedLocker ransomware is the latest attempt by the notorious adversary to distance themselves from known tooling to aid them in bypassing the sanctions imposed upon them. The sanctions and indictments have undoubtedly significantly impacted the group and have made it difficult for INDRIK SPIDER to successfully monetize their criminal endeavors.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
TR-21-108-002_Hades_Ransomware.pdf
https://www.securityweek.com/hades-ransomware-hits-big-firms-operators-slow-respond-victims
Comments