Researchers claim to have discovered the identity of the operators of Hades ransomware, exposing the distinctive tactics, techniques, and procedures (TTPs) they employ in their attacks.
Hades ransomware first appeared in December 2020 following attacks on a number of organisations, but to date there has been limited information regarding the perpetrators.
Today, researchers from the Counter Threat Unit (CTU) at Secureworks named Gold Winter as the threat group behind Hades ransomware. Furthermore, they shared details of notable traits in Gold Winter’s operations that distinguish it from other such threat groups and suggest it is a financially motivated, likely Russia-based “big game hunter” that seeks high-value targets, chiefly North America-based manufacturers.
The findings are a result of incident response engagements carried out by Secureworks in the first quarter of 2021.
“Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution,” researchers wrote. “Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware.
"Despite use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication.”
Hades ransomware and Gold Winter’s unique TTPs
The analysis of Gold Winter discovered TTPs not associated with other ransomware families, researchers explained, with some that show similarities but with unusual aspects added.
CTU researchers revealed that Gold Winter names and shames victims but does not use a centralised leak site to expose stolen data. Instead, Tor-based Hades websites appear to be customised for each victim and each website includes a victim-specific Tox chat ID for communications.
The use of Tox instant messaging for communications is a technique CTU researchers have not observed with other ransomware families.
The group is also known to copy ransom notes from other high-profile families such as REvil and Conti, adding unique victim identifiers and replacing websites with contact email addresses. “Gold Winter may use look-alike ransom notes to confuse researchers or perhaps to pay homage to admired ransomware families,” researchers wrote.
Furthermore, Gold Winter replaces randomly generated five-character strings for the victim ID and encrypted file extension with words -- e.g., “cypherpunk”. “Based on the definition of this term, perhaps the threat actors view their ransomware activity as a way to prompt organisations to improve their security,” researchers added.
This is in addition to using two distinct initial access vectors: SocGholish malware disguised as a fake Chrome update and single-factor authentication VPN access and deleting volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command.
Golden Winter likely a private ransomware group, not RaaS
Speaking to CSO, Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, says, “Typically, when we see a variety of playbooks used around a particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods. We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she adds.
It is also possible that Gold Winter has been organised by another threat group to throw law enforcement and researchers off their trail, Lee continues.
“In that case, the threat actors may be intentionally trying to find ways to appear different. Alternatively, and most likely, the techniques could simply reflect an evolution in the threat group playbook, using new tactics and capabilities.”
Lee advises using common ransomware defence and mitigation strategies for Hades: Implement an endpoint detection and response solution, multi-factor authentication on internet-facing devices and for user applications, and effective asset management. She also recommends effective patch management, subscription to curated threat intelligence to drive awareness of emerging threats, and having a tested incident plan and team in place.