An obscure monetarily spurred threat group is utilizing the self-proclaimed Hades ransomware variant in cybercrime activities that have affected at least three victims since December 2020. Known victims incorporate a huge US transportation and logistics organization, a huge US consumer products organization, and a worldwide manufacturing organization.
Tactics, Techniques, and Procedures (TTP) utilized to compromise a victim network, escalate privileges, move laterally, evade defenses, exfiltrate data and deploy Hades ransomware are relatively consistent with other notable ransomware operators, utilizing a mix of commodity tooling and various living-off-the-land techniques. When Hades lands on a victim's machine, it duplicates itself and relaunches itself through the command line. The 'spare' duplicate is then erased and an executable is unloaded in memory. A scan is then performed in local directories and network offers to discover content to encrypt however every Hades sample secured uses a different extension.
Moreover, Accenture recognized extra Tor covered up services and clearnet URLs by means of different open-source reporting relating to the Hades ransomware samples. For every examined sample, the ransom notes distinguished educate the victim to install Tor browser and visit the predetermined page. The Tor pages vary just in the Victim ID that is given, demonstrating every Tor address might be particularly created for every victim. Accenture Security distinguished an aggregate of six of these addresses, showing there could be three extra victims that they are unaware of as of now.
Right now, it is hazy if the obscure threat group works under an affiliate model, or if Hades is appropriated by a solitary group. Under an affiliate model, developers partner with affiliates who are answerable for different undertakings or phases of the operation lifecycle, for example, conveying the malware, giving starting admittance to associations, or even target selection and reconnaissance. In any case, in light of intrusion information from incident response engagements, the operators tailor their strategies and tooling to deliberately chose targets and run a more “hands-on keyboard” operation to inflict maximum damage and higher payouts.
Likewise, Accenture recognized similarities in the Hades ransom notes to those that have been utilized by REvil ransomware operators, where parts of the ransom notes observed contain identical wording.