An unknown threat group is deploying a variant of Hades ransomware in targeted attacks against US companies.
On Friday, Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis about the latest Hades campaign which has been active since at least December 2020 until this month.
According to the cybersecurity researchers, at least three major companies have been successfully attacked with the ransomware strain including a transport & logistics company, a consumer products retailer, and a global manufacturer. Forward Air was reportedly a past victim.
Accenture says that the threat actors are focusing on targeting organizations that generate at least $1 billion in annual revenue.
In the latest attacks, the threat actors take a hands-on approach and use a mix of custom tools and fileless approaches.
Hades infiltrates the systems through internet-facing systems, Remote Desktop Protocol (RDP), or Virtual Private Network (VPN) setups using legitimate credentials — which they might have got using brute-force attacks or from stolen data dumps.
When Hades enters a victim’s machine, it creates a copy of itself and relaunches itself via the command line. The ‘spare’ copy is then deleted and an executable is unpacked in memory. It then scans local directories and network shares to find content to encrypt but each Hades sample secured uses a different extension.
A ransom note, “HOW-TO-DECRYPT-[extension].txt,” is then dropped on the machine.
The ransomware notes obtained through Hades samples direct victims to install Tor and a unique address appears to be generated for each target. In total, six have been traced, which may indicate further infections.
CrowdStrike believes that Hades is a successor to WastedLocker ransomware, a variant that has been deployed by REvil against US targets in past campaigns.
Hades also includes code obfuscation to avoid signature-based detection. A variety of reconnaissance tools are also used to collect network, host, and domain information and to achieve lateral movement through networks.
Before encrypting the files, the Hades operators steal and archive data so that the victims may either pay up, or risk the leak of corporate data online.
Indicators of Compromise (IoC) for the threat group and Hades variant has been published.