The Hades ransomware gang
Hades ransomware gang is a cybercriminal operator that stands behind a number of sophisticated attacks that grab the attention of cybersecurity researchers.
A recent analysis of the Hades group’s hacking attacks from the end of 2020 suggests that the cybercriminals that operate under that name are either an advanced persistent threat (APT), dubbed to be Hafnium, or a group of several different hacking organizations that simultaneously compromise the same targets by taking advantage weaknesses in the general security.
An interesting discovery that points out a possible relation of Hades to Hafnium is that during one of the Hades’s ransomware attacks, researchers have detected a Hafnium domain as a compromise indicator.
Hafnium is an APT that has recently appeared in the cybersecurity news headlines after Microsoft accused it of performing zero-day attacks on its Exchange servers and exploiting the ProxyLogon vulnerabilities. Security professionals potentially link Hafnium to the Chinese government.
Hades modus operandi
Researches on Hades gang modus operandi reveal that the criminals that operate behind it are using a set of special attributes, including strategies and methods, that differ from what the rest of the hacking groups are typically using.
Hades’ toolkit involves some techniques often utilized by threat actors specialized in espionage. For instance, before exfiltration, Hades players scan local file systems and libraries to search data archives and confidential details. In addition to that, they also scan for and collected data from network shares on remote systems.
The Hades gang mostly targets manufacturing-oriented companies, especially those in the automotive supply chain, and those with insulation products. Victims of the ransomware attacks are registered in Canada, Germany, Luxemburg, Mexico and the United states and they all are companies which operate globally.
Based on the strategies used, security researchers are assuming that the Hades gang probably has more than blackmail in its mind when choosing and attacking its targets.
The number of known victims is small, but the amount of ransom that Hades has requested in the reported cases is between five and ten million dollars. Interestingly, the hacking group has been slow in responding to negotiations.
One of the not-so-advanced techniques employed by the gang is its inclination for using leak and drop sites that can be taken down very easily. These setups have very little sophistication, which is unusual compared to what other ransomware actors rely on.
Further, the data that is leaked on Hades’s sites seems unusually selected. Researchers find it odd to publish less important pieces of information while keeping the sensitive data unpublished and suggest that there probably could be other means of monetizing the more sensitive data than leaking it. Perhaps, ransom is not the only objective for some of these gangs?