Hades Ransomware Gang Exhibits Connections to Hafnium

hades ransomware analysis

There could be more than immediately meets the eye with this targeted attack group.

The Hades ransomware gang has several unique characteristics that set it apart from the rest of the pack, according to researchers – including potentially having more than extortion on the to-do list. The group appears to use multiple nation-state tools and techniques.

The researchers said that its investigations into the group’s cyberattacks at the end of 2020 suggest one of two possibilities: There is an advanced persistent threat (APT) is operating under the guise of Hades, possibly Hafnium; or, several different groups coincidentally compromised the same environments, “potentially due to weak security practices in general.”

The Hafnium Connection

In one Hades ransomware attack, the Awake team identified a Hafnium domain as an indicator of compromise within the timeline of the Hades attack.

Hafnium is an APT believed to be liked to the Chinese government, which Microsoft identified as carrying out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities now known as ProxyLogon.

“Moreover, this domain was associated with an Exchange server and was being used for command and control in the days leading up to the encryption event,” according to the posting. “Based on [another team’s] analysis this domain was first seen in a Hades attack in December 2020. Clearly at this point the vulnerability in Exchange had not been publicly disclosed but this attack time frame aligns more closely with the DevCore vulnerability discovery date. This clearly provides evidence of the attack prior to January 2021, which has been the consensus until now.”

Connections to Other Groups

Awake researchers also found evidence of other threat actors within some Hades victim environments.

For instance, artifacts pointing to the TimosaraHackerTerm (THT) ransomware group (named after a town in Romania) were seen in multiple cases, likely left a few weeks before the Hades attack. According to Awake, these included:

  • VSS Admin was used to clear shadow copies of the local machine
  • Bitlocker or BestCrypt (bcfmgr) was used for encryption on the local machines
  • External IP connection was made to Romania IP 185[.]225[.]19[.]240
  • For the THT indicators of compromise (IoCs), the IP address mentioned from Romania was observed between October and November with malicious behavior and associated with two new files tracked on VirusTotal.

Hades Victimology

According to the Awake analysis, the Hades gang appears to be picky about its targets, and mainly goes after organizations with a focus in manufacturing, especially those in the automotive supply chain as well as those with insulation products.

“The locations of the attack were slightly dispersed as each of the companies were global in their operational footprints,” according to Awake. “While these organizations were impacted across multiple geographies, we have evidence to suggest that the ransomware attack was focused on…Canada, Germany, Luxembourg, Mexico and the United States.”

The group of known victims is small, and Awake analysis found that Hades asked between $5 to $10 million in ransom. However, victims said that Hades was slow to respond in negotiations.

“In some cases, they may not have responded at all,” according to the analysis. “In fact, one Twitter user even claimed [Hades] never responds. If there were only a few organizations attacked, why would it take so long to respond to requests for ransom? Was there another potential motive here?”

Advanced Data-Theft Techniques

Hades’ toolset and approaches include several that are often used by espionage-related threat actors, according to Awake Labs.

For instance, researchers said the group leveraged valid accounts throughout victim environments, including both service account and privilege admin accounts that were used by the threat actor.

“We also are aware of at least one environment where Mimikatz was used as a method to extract credentials,” according to the post. “This was the same environment with the file winexesvc.exe on the Exchange system where the Hafnium domain was identified.”

Hades then moved laterally from system to system across domains to access and prep files for exfiltration.

“The Hades actors searched local file systems and databases to find files of interest and sensitive data prior to exfiltration,” said Awake researchers. “They also searched and collected data from network shares on remote systems. Common targets of this were accessible shared directories on file servers. Awake identified these activities on multiple systems by analyzing the ShellBags registry artifact.”

Leak Sites

One of the not-so-advanced tactics used by the gang is its penchant for “methods for both their leaks and their drop sites that would likely be taken down within a very short time,” Awake researchers said. “There was very little sophistication in this setup, something that stands apart from other ransomware actors.”

Also, the data leaked on the group’s sites seems oddly chosen, researchers said.

“[It was] not the most consequential data the actor could have leaked,” they noted. “The data chosen for the leak was a very limited set with little repercussions to the victims. Meanwhile the exfiltrated data was very different, containing large amounts of data focused on manufacturing processes. The question that therefore arises, what was the objective of stealing the crown jewels but disclosing less significant bits of information? Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?”

In all, Awake researchers noted that there are several unique aspects to the Hades modus operandi.

“[Hades] appeared to exhibit a number of characteristics that were at once unlike other ransomware gangs, almost amateurish in a sense, while at the same time showing the type of sophistication and obfuscation that is more the forte of nation-state-based APT,” explained researchers from Awake Labs, in a blog posting on Monday. “Our ‘spidey sense’ certainly went off.”

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles