The Hades ransomware gang has several unique characteristics that set it apart from the others, according to recent researchers – including potentially having more than extortion on the ‘to-do’ list. The group seems to use multiple nation-state tools & techniques
There could be more than immediately appears with this targeted attack group.
The researchers stated that its investigations into the group’s cyber-attacks at the end of 2020 suggest 1 of 2 possibilities: There is an advanced persistent threat (APT) is operating under the guise of Hades, possibly Hafnium; or several different groups co-incidentally compromised the same environments, “potentially due to weak security practices in general.”
In one Hades ransomware attack, the Awake team identified a Hafnium domain as an indicator of compromise within the timeline of the Hades attack.
Hafnium is an APT believed to be linked to the Chinese Govt., which Microsoft identified as carrying out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities now known as Proxy Logon.
“Moreover, this domain was associated with an Exchange server & was being used for command & control in the days leading up to the encryption event,” explained the post. “Based on another team’s analysis this domain was 1st seen in a Hades attack in Dec. 2020.
At this point the vulnerability in Exchange had not been publicly disclosed but this attack time frame links more closely with the Dev Core vulnerability discovery date. This clearly provides evidence of the attack before Jan. 2021, which has been the consensus until now.”
Awake researchers also found evidence of other threat players within some Hades victim environments.
E.g., artifacts pointing to the Timosara Hacker Term (THT) ransomware group (a town in Romania) were seen in many cases, likely left a few weeks before the Hades attack. States Awake, these included:
- VSS Admin was used to clear shadow-copies of the local machine
- Bitlocker or Best Crypt (bcfmgr) was used for encryption on the local machines
- External IP connection was made to Romania IP 185[.]225[.]19[.]240
- For the THT indicators of compromise (IoCs), the IP address mentioned from Romania was observed Oct.-Nov. with malicious behaviour & associated with 2 new files tracked on Virus Total.
Explains the Awake analysis, the Hades gang appears to be ‘selective’ about its targets, & mainly goes after organisations with a focus in manufacturing, especially those in the automotive supply chain as well as those with insulation products.
“The locations of the attack were slightly dispersed as each of the companies were global in their operational footprints,” observed Awake. “While these organisations were impacted across multiple geographies, we have evidence to suggest that the ransomware attack was focused on…Canada, Germany, Luxembourg, Mexico & the US.”
Slow to Respond
The group of known victims is small, & Awake analysis found that Hades asked between $5-$10m in ransom. However, victims revealed that Hades was slow to respond in negotiations.
“In some cases, they may not have responded at all,” according to this analysis. “In fact, one Twitter user even claimed Hades never responds. If there were only a few organisations attacked, why would it take so long to respond to requests for ransom? Was there another potential motive here?”
Hades’ tools & approaches include several that are often used by espionage-related threat players, states Awake Labs.
For example, researchers commented that the group used valid accounts throughout victim environments, including both service account & privilege admin accounts that were used by the threat player.
“We also are aware of at least one environment where Mimikatz was used as a method to extract credentials,” observes the post. “This was the same environment with the file winexesvc.exe on the Exchange system where the Hafnium domain was identified.”
From System to System
Hades then moved laterally from system to system across domains to access & prep files for exfiltration.
“The Hades actors searched local file systems and databases to find files of interest & sensitive data prior to exfiltration,” explained Awake researchers.
“They also searched and collected data from network shares on remote systems. Common targets of this were accessible shared directories on file servers. Awake identified these activities on multiple systems by analysing the Shell Bags registry artifact.”
One of the not-so-advanced tactics used by the gang is its penchant for “methods for both their leaks & their drop sites that would likely be taken down within a very short time,” Awake researchers observed.
“There was very little sophistication in this setup, something that stands apart from other ransomware actors.”
Also, the data leaked on the group’s sites seems strangely chosen, researchers commented.
“It was not the most consequential data the actor could have leaked,” they noted. “The data chosen for the leak was a very limited set with little repercussions to the victims. Meanwhile the exfiltrated data was very different, containing large amounts of data focused on manufacturing processes.
The question that therefore arises, what was the objective of stealing the crown jewels but disclosing less significant bits of information? Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?”
Overall, Awake researchers noted that there are several unique aspects to Hades methods.
“Hades appeared to exhibit a number of characteristics that were at once unlike other ransomware gangs, almost amateurish in a sense, while at the same time showing the type of sophistication & obfuscation that is more the forte of nation-state-based APT,” explained researchers from Awake Labs, in a blog posting on Mon. “Our ‘spidey sense’ certainly went off.”