New Hades Ransomware Hits Leading US Vendors

Security researchers uncovered an ongoing malicious campaign targeting big-name US companies with Hades ransomware. At least three US vendors have been hit by an unknown financially-motivated actor since December 2020. 

What Is Hades Ransomware?

First discovered in late 2020, Hades ransomware is a brand new player in the threat arena. The malware was named after a dedicated Tor hidden website that is used to contact victims after the intrusion. Notably, a newly emerged Hades variant has nothing in common with the Hades Locker malware family, revealed in 2016.

According to the analysis from CrowdStrike, Hades is a 64-bit compiled successor of WastedLocker enhanced with the ability to evade signature-based detections and perform reverse engineering. Both malware variants share the same code and functionality, except for slight differences in tactics and tools. For example, Hades applies a different User Account Control (UAC) bypass than WastedLocker, however, both of them were taken from the same open source UACME project. Other disparity is insignificant and relates to the way of storing key information and ransom note delivery. The only thing that significantly differs Hades from WastedLocker refers to the way ransomware operators communicate to their victims. Particularly, Hades maintainers abandoned the email communication and switched to the Tor hidden websites unique for each victim.

Security experts from CrowdStrike believe that Evil Corp (Dridex, INDRIK SPIDER) Gang might stand behind the development of Hades ransomware. The Gang presumably switched to Hades to evade sanctions from the Treasury Department’s Office of Foreign Assets Control (OFAC) that were taken into action in December 2019 to charge cybercriminals for over $100 million financial losses caused by Dridex Trojan. Now all victims who paid the ransom to unlock their data from BitPaymer or WastedLocker (ransomware samples used by Evil Corp in the past) are also considered as those violating the sanctions. Therefore, not to lose possible financial gains and avoid legal action, Evil Corp developed new Hades ransomware. 

Hades Attacks Major US Companies

The report from Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams reveals that at least three US-based vendors have suffered from Hades attack. The list of victims includes a transportation company, a consumer product retailer, and a world-leading manufacturer. The deep dive into this malicious campaign indicates that the unnamed threat actor behind the attacks is focused on top vendors with at least $1 billion in annual revenue. 

The attack kill chain analysis shows that Hades ransomware uses Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) for initial intrusion, leveraging legitimate credentials. Further, adversaries rely on Cobalt Strike and Empire for command-and-control (C&C) communication, lateral movement, and persistence. To fly under the radar and evade detection by anti-virus (AV) engines, threat actors use custom batch scripts and additional tooling to block AV and EDR services, clear event logs, prevent windows audit logging, and more. On the latest stages of intrusion, malware operators deploy Hades ransomware to encrypt victim’s data and use the 7zip utility to archive and transfer stolen sensitive information to the C&C server under the attacker’s control. That is done for double extortion, which is currently a top-trend approach in the ransomware arena.

Detecting Hades Ransomware

To detect the malicious activity of Hades and WastedLocker ransomware samples, you can download dedicated Sigma rules already available in Threat Detection Marketplace.

Hades Ransomware Detection a New Variant of WastedLocker (via registry_event)

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

MITRE ATT&CK: 

Tactics: Defense Evasion

Techniques: Modify Registry (T1112)

Detection of WastedLocker Ransomware

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black, Microsoft Defender ATP

MITRE ATT&CK: 

Tactics: Defense Evasion, Privilege Escalation

Techniques: Obfuscated Files or Information (T1027), Process Injection (T1055)

Subscribe to Threat Detection Marketplace, a world-leading Detection as Code platform that aggregates 100K+ detection algorithms and threat hunting queries for 23+ market-leading SIEM, EDR, and NTDR tools. Eager to develop your own Sigma rules and contribute to the global threat hunting initiatives? Join our Threat Bounty Program!