Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis of the latest campaign conducted by financially motivated threat group Hades which have been operating since at least December 2020.
Experts discovered that threat actors targeted a large US transportation & logistics organization, a large US consumer products organization, and a global manufacturing organization. At the time of this writing, it is unclear if the Hades gang operates a ransom-as-a-service model.
The profile of the victims suggests the attackers are focusing on Big Game Hunting, targeted organizations with annual revenues exceeding $1 billion USD.
Experts identified Tor hidden services and clearnet URLs via various open-source reporting that could be associated with the activity of the Hades ransomware. The ransom note left by the malware points to Tor pages that are uniquely generated for each victim.
Accenture researchers also noticed that the Hades ransom notes share portions with the one used by the REvil ransomware operators, unique differences are the operators’ contact information and the formatting of the ransom notes. While the ransom notes are similar, we do not have any evidence to suggest the threat groups or operations have any overlap at this time.
The attack chain begins with attacks to internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) using legitimate credentials.
Upon running on the victim’s machine, the malicious code creates a copy of itself and relaunches itself via the command line. The copy is then deleted and an executable is unpacked in memory. Then the malware perform a scan in local directories and network shares for content to encrypt. Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”
“The use of legitimate credentials, service creation, and distribution of Command and Control (C2) beacons across victim environments through the use of Cobalt Strike and Empire, so far appear to be the predominant approach used by the unknown threat group to further their foothold and maintain persistence. In addition, the threat actors operated out of the root of C:\ProgramData where several executables tied to the intrusion set were found.” reads the analysis published by Accenture.
The analysis of the malware revealed the use of code obfuscation to avoid detection, while privilege escalation is achieved through credential harvesting and the use of tooling and manual enumeration of credentials.
Like other ransomware, Hades ransomware steal data before starting the encryption process and send them back to the C2.
“Prior to deploying Hades ransomware, the unknown threat group has employed the 7zip utility to archive data that was then staged and exfiltrated to an attacker-controlled server hosted in Mega[.]nz cloud infrastructure, leveraging the MEGAsync utility.” concludes the report. “In addition to data theft, actors deploy Hades ransomware to encrypt files identified on the victim network. Hades operators leverage this approach for “double-extortion” tactics.”
CIFR and ACTI also provided Indicators of Compromise (IoC) for the Hades attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Hades ransomware)