There could be more than promptly satisfies the eye with this specific attack team.
The Hades ransomware gang has numerous one of a kind traits that set it aside from the rest of the pack, according to researchers – which includes most likely owning more than extortion on the to-do checklist. The group seems to use several nation-point out tools and methods.
The researchers explained that its investigations into the group’s cyberattacks at the conclusion of 2020 recommend 1 of two possibilities: There is an highly developed persistent risk (APT) is functioning under the guise of Hades, potentially Hafnium or, numerous different teams coincidentally compromised the exact environments, “potentially because of to weak security tactics in standard.”
The Hafnium Link
In 1 Hades ransomware attack, the Awake workforce recognized a Hafnium area as an indicator of compromise within just the timeline of the Hades attack.
Hafnium is an APT believed to be appreciated to the Chinese authorities, which Microsoft identified as carrying out zero-day attacks on Microsoft Trade servers making use of the group of vulnerabilities now recognised as ProxyLogon.
“Moreover, this area was associated with an Exchange server and was becoming utilized for command and manage in the days major up to the encryption occasion,” according to the submitting. “Based on [another team’s] examination this area was first found in a Hades attack in December 2020. Obviously at this point the vulnerability in Exchange experienced not been publicly disclosed but this attack time body aligns much more carefully with the DevCore vulnerability discovery day. This clearly gives evidence of the attack prior to January 2021, which has been the consensus till now.”
Connections to Other Teams
Awake researchers also uncovered proof of other threat actors inside some Hades target environments.
For occasion, artifacts pointing to the TimosaraHackerTerm (THT) ransomware group (named right after a town in Romania) had been noticed in various conditions, very likely still left a couple weeks just before the Hades attack. According to Awake, these incorporated:
- VSS Admin was applied to obvious shadow copies of the area equipment
- Bitlocker or BestCrypt (bcfmgr) was utilised for encryption on the community machines
- External IP connection was designed to Romania IP 185[.]225[.]19[.]240
- For the THT indicators of compromise (IoCs), the IP address mentioned from Romania was noticed between October and November with malicious conduct and affiliated with two new information tracked on VirusTotal.
In accordance to the Awake investigation, the Hades gang seems to be picky about its targets, and primarily goes after organizations with a aim in producing, especially all those in the automotive offer chain as well as individuals with insulation products and solutions.
“The areas of the attack have been slightly dispersed as just about every of the companies ended up international in their operational footprints,” in accordance to Awake. “While these companies have been impacted throughout a number of geographies, we have proof to counsel that the ransomware attack was focused on…Canada, Germany, Luxembourg, Mexico and the United States.”
The group of recognised victims is tiny, and Awake analysis observed that Hades asked among $5 to $10 million in ransom. Nevertheless, victims reported that Hades was sluggish to respond in negotiations.
“In some cases, they may not have responded at all,” in accordance to the evaluation. “In simple fact, 1 Twitter user even claimed [Hades] under no circumstances responds. If there had been only a couple organizations attacked, why would it get so extended to react to requests for ransom? Was there a further probable motive listed here?”
Innovative Facts-Theft Approaches
Hades’ toolset and techniques involve a number of that are generally made use of by espionage-similar threat actors, in accordance to Awake Labs.
For instance, scientists explained the group leveraged legitimate accounts during sufferer environments, like each services account and privilege admin accounts that were being utilized by the menace actor.
“We also are informed of at minimum just one surroundings the place Mimikatz was made use of as a system to extract qualifications,” in accordance to the post. “This was the very same ecosystem with the file winexesvc.exe on the Trade system exactly where the Hafnium area was recognized.”
Hades then moved laterally from system to system across domains to obtain and prep data files for exfiltration.
“The Hades actors searched community file units and databases to come across files of fascination and sensitive data prior to exfiltration,” stated Awake researchers. “They also searched and gathered info from network shares on remote systems. Common targets of this have been accessible shared directories on file servers. Awake determined these things to do on various units by examining the ShellBags registry artifact.”
Leak Internet sites
Just one of the not-so-highly developed tactics employed by the gang is its penchant for “methods for the two their leaks and their drop websites that would likely be taken down inside a quite limited time,” Awake researchers said. “There was quite minor sophistication in this set up, some thing that stands aside from other ransomware actors.”
Also, the info leaked on the group’s websites appears oddly selected, researchers stated.
“[It was] not the most consequential facts the actor could have leaked,” they noted. “The information chosen for the leak was a pretty confined set with very little repercussions to the victims. Meanwhile the exfiltrated info was pretty distinct, that contains massive amounts of details focused on production processes. The issue that thus occurs, what was the aim of thieving the crown jewels but disclosing fewer major bits of information and facts? Did they keep back on publicly sharing the most valuable details due to the fact they had alternate implies to monetize the proprietary strategies?”
In all, Awake researchers mentioned that there are a number of unique elements to the Hades modus operandi.
“[Hades] appeared to show a amount of traits that have been at when not like other ransomware gangs, almost amateurish in a feeling, whilst at the similar time showing the kind of sophistication and obfuscation that is additional the forte of nation-state-based mostly APT,” discussed scientists from Awake Labs, in a blog putting up on Monday. “Our ‘spidey sense’ undoubtedly went off.”
Check out out our free upcoming dwell webinar events – exceptional, dynamic discussions with cybersecurity specialists and the Threatpost local community:
- April 21: Underground Markets: A Tour of the Dark Overall economy (Understand a lot more and sign up!)
Some pieces of this post are sourced from: