Hades ransomware gang targets big organizations in the US

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020.

Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis of the latest campaign conducted by financially motivated threat group Hades which have been operating since at least December 2020. 

Experts discovered that threat actors targeted a large US transportation & logistics organization, a large US consumer products organization, and a global manufacturing organization. At the time of this writing, it is unclear if the Hades gang operates a ransom-as-a-service model.

The profile of the victims suggests the attackers are focusing on Big Game Hunting, targeted organizations with annual revenues exceeding $1 billion USD.

Experts identified Tor hidden services and clearnet URLs via various open-source reporting that could be associated with the activity of the Hades ransomware. The ransom note left by the malware points to Tor pages that are uniquely generated for each victim. 

Accenture researchers also noticed that the Hades ransom notes share portions with the one used by the REvil ransomware operators, unique differences are the operators’ contact information and the formatting of the ransom notes. While the ransom notes are similar, we do not have any evidence to suggest the threat groups or operations have any overlap at this time.

Researchers from Crowdstrike speculate that the new variant is a successor to WastedLocker ransomware and linked the operations to Evil Corp operations.

The attack chain begins with attacks to internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) using legitimate credentials.

Upon running on the victim’s machine, the malicious code creates a copy of itself and relaunches itself via the command line. The copy is then deleted and an executable is unpacked in memory. Then the malware perform a scan in local directories and network shares for content to encrypt. Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”

“The use of legitimate credentials, service creation, and distribution of Command and Control (C2) beacons across victim environments through the use of Cobalt Strike and Empire, so far appear to be the predominant approach used by the unknown threat group to further their foothold and maintain persistence. In addition, the threat actors operated out of the root of C:\ProgramData where several executables tied to the intrusion set were found.” reads the analysis published by Accenture.

The analysis of the malware revealed the use of code obfuscation to avoid detection, while privilege escalation is achieved through credential harvesting and the use of tooling and manual enumeration of credentials. 

Like other ransomware, Hades ransomware steal data before starting the encryption process and send them back to the C2.

“Prior to deploying Hades ransomware, the unknown threat group has employed the 7zip utility to archive data that was then staged and exfiltrated to an attacker-controlled server hosted in Mega[.]nz cloud infrastructure, leveraging the MEGAsync utility.” concludes the report. “In addition to data theft, actors deploy Hades ransomware to encrypt files identified on the victim network. Hades operators leverage this approach for “double-extortion” tactics.”

CIFR and ACTI also provided Indicators of Compromise (IoC) for the Hades attacks. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hades ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.