CrowdStrike, Accenture, and Awake Security researchers have dissected some of the Hades ransomware attacks and released information on the malware as well as the methods, strategies, and procedures (TTPs) used by its operators.
The self-named Hades ransomware (a separate malware family from the Hades Locker ransomware that first appeared in 2016) uses a double-extortion tactic, stealing victim data and threatening to release it publicly until the ransom is paid.
#Ransomware Hunt: Calls itself “Hades ransomware”. Extension is random 5 lowercase alphanum, note “HOW-TO-DECRYPT-xxxxx.txt” (xxxxx = extension of files)
Seen x3 different Tor URLs pointing to the exact same site and Tox address – TA never responds. pic.twitter.com/sy2eYecxXV
— Michael Gillespie (@demonslay335) December 16, 2020
The adversary appears to be primarily targeting businesses, with some of the victims being multi-national corporations with annual revenues exceeding $1 billion. Canada, Germany, Luxembourg, Mexico, and the United States were the countries most impacted by the attacks.
Only a few sectors were targeted by the Hades ransomware operators, including transportation and logistics, consumer goods, and manufacturing and distribution — identified victims include a logistics provider, companies in the automotive supply chain, and insulation product manufacturers. According to Accenture, at least three of the victims are U.S. firms with annual revenues of more than $1 billion.
Each victim is led to a special Tor website in the ransom note left on the compromised machines — six such sites have been found so far, meaning that Hades has at least six victims. The victim is instructed to contact the attackers via the Tox peer-to-peer instant messenger on that website.
The ransomware developers demand $5 to $10 million in payments from their victims. Surprisingly, despite a limited number of victims and high payment demands, the adversaries seem to be slow to respond to ransom payment instructions requests.
In addition to encrypting files on the victim’s computers, the Hades ransomware operators also exfiltrate data considered to be of interest, threatening to make the compromised data public if the victim does not pay the ransom.
Despite much more valuable data being exfiltrated during the attack, the leak had a minor effect on the victim in the few cases where the attackers followed through on their threat.
“This raises the question: what was the goal of stealing the crown jewels but revealing less valuable bits of information? Did they withhold publicly sharing the most valuable information because they had other ways to profit from the proprietary information?” Notes on being awake.
The use of valid credentials to link to Internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN), followed by the deployment of Cobalt Strike and Empire implants for persistence, is typical of a Hades ransomware attack.
The attackers often use a variety of scripts to conduct surveillance, collect passwords, and locate and compromise additional systems in the network.
In certain instances, the adversary will compile the ransomware binary at the same time as the victim’s data was being exfiltrated. The attackers are thought to have used a “hands on keyboard” strategy in their attacks.
Who is running Hades, however, is still unknown. Although Accenture has yet to allocate responsibility, Awake has made some contacts with other threat actors, including Hafnium, the Chinese hacking group responsible for the recently exposed Exchange Server hacks.
CrowdStrike, on the other hand, suspects Hades is the work of the notorious Evil Corp group, a Russian threat actor responsible for the Dridex Trojan, Locky ransomware, and a variety of other malware families. Hades, according to the security company, shares some code similarities with WastedLocker, a ransomware strain connected to Evil Corp last year.
“Hades is merely a 64-bit compiled version of WastedLocker with minor feature improvements and additional code obfuscation. […] The majority of the functionality of Hades ransomware is similar to WastedLocker; the ISFB-inspired static configuration, multi-staged persistence/installation mechanism, file/directory enumeration, and encryption functionality are largely unchanged,” according to CrowdStrike.
Hades also marks improvements in Evil Corp’s (also known as TA505, and INDRIK SPIDER) TTPs, according to the security company, which may be a response to the US Treasury Department’s Office of Foreign Assets Control (OFAC) announcing sanctions against the gang and the Department of Justice (DOJ) indicting two members of the gang.
“The ongoing development of the WastedLocker ransomware is the latest effort by the infamous adversary to separate themselves from established tooling that could assist them in evading sanctions. The sanctions and indictments have certainly had a huge effect on the organisation, making it more difficult for INDRIK SPIDER to profit from their illegal activities,” CrowdStrike concludes.