Hades Ransomware Has Targeted 7 Large CompaniesAccenture Security: Attackers Focus on Those With Over $1 Billion in Revenue
At least seven companies with annual revenue of over $1 billion have been hit so far this year by Hades ransomware, according to an Accenture Security report.
Since March, victims have been targeted in the consumer goods and services, insurance, and manufacturing and distribution sectors, Accenture Security says, without identifying any companies. "The profiles of the known victims continue to be a consistent indicator of 'big game hunting,' with target selection and deployment methods aimed toward high-value payouts," the firm notes.
The threat group behind Hades ransomware has been in operation since at least December 2020 and has continued to target victims through May 2021, Accenture Security says. The company says the group's activities "will likely continue to proliferate into the foreseeable future, impacting additional carefully selected victims."
The group behind the Hades variant is also likely using Phoenix CryptoLocker in an effort to impede attack attribution, the security firm says.
Bleeping Computer had previously reported that a ransomware attack attributed to the Evil Corp hacking group against insurer CNA was conducted using Phoenix CryptoLocker.
Researchers found that the Hades attackers have used a relatively standard toolkit with only minor variations, such as using credential access via VPN and SocGholish malware delivered via a malicious Google Chrome update, which were found to be the primary infection vectors.
In the Hades attacks so far, an advanced IP scanner was used for reconnaissance and PSexec was used for lateral movement and deployment of the ransomware, Accenture Security researchers say. The threat actors also made heavy use of remote desktop protocol for lateral movement, and they used Mimikatz, an open-source application, to access credentials. Similar batch files were used to disable Microsoft Windows Defender and other antivirus software, stop services and clear logs, the researchers note. The gang behind the Hades ransomware also consistently uses Cobalt Strike.
"In at least two intrusions, there was targeted destruction of backups prior to encryption," the researchers note in their report. "7zip utility was used to archive data that was then staged and exfiltrated to an attacker-controlled server hosted in Mega[.]nz cloud infrastructure, leveraging the MEGAsync utility."
"Lone wolf" ransomware groups, such as the group behind Hades, "typically operate outside of the affiliate-based model and don’t consistently participate in ransomware-as-a-service operations. However, this doesn’t necessarily mean they are not a well-resourced group in and of themselves," Accenture Security notes.
The Hades ransomware operators tailor their tactics and tools to carefully selected targets and run a “hands on keyboard” operation to inflict maximum damage and achieve higher payouts, the researchers say.
"This includes multimillion-dollar ransom demands, and in at least two instances, successful payment. However, while portions of each intrusion chain may seem 'novel' in nature, their approach suggests a moderate level of operational and technical sophistication, as the operators leverage a mostly standard toolkit and often use 'noisy' approaches for reconnaissance. In at least one instance, the targeted organization successfully deterred the attack before impact, so the intended action on objectives are unknown."
Hades and Other Strains
Hades' ransom notes are similar to those used by the REvil group, Accenture has previously noted. REvil also targets large companies for higher payouts.
"The differentiating factors in the ransom notes are the operators’ contact information and the formatting of the ransom notes," according to Accenture's previous report. "While the ransom notes are similar, we do not have any evidence to suggest the threat groups or operations have any overlap at this time."
A March report by security firm CrowdStrike says Hades appears to be a successor to WastedLocker ransomware, which is believed to be used by Evil Corp, a criminal group that has been active since 2014. Accenture Security says it's not yet able to name the group that is behind Hades.
CrowdStrike notes Hades has much of the same functionality as WastedLocker.