Cybersecurity researchers on Tuesday disclosed the “unique” tactics, techniques, and procedures (TTPs) employed by Hades ransomware operators that differentiate it from other software of its kind, and attributed it to a malicious attacker called GOLD WINTER. Economically motivated hacking group.
“In many ways, GOLD The WINTER hacker group is a classic “post-intrusion ransomware” ransomware group that pursues high-value targets to maximize ransom from victims. However, GOLD WINTER’s operations have some quirks that make them Differentiate it from other organizations.”
The findings come from an incident response study conducted by the Atlanta-based cybersecurity firm in the first quarter of 2021.
According to Crowdstrike, Hades has been classified as an iteration of the WastedLocker ransomware developed by established cybercriminal group INDRIK SPIDER, with additional code obfuscation and minor functional changes, since it first appeared in the hacker space in December 2020. INDRIK SPIDER, also known as GOLD DRAKE and Evil Corp, is a sophisticated cybercriminal group notorious for operating a banking Trojan called Dridex and distributing BitPaymer ransomware between 2017 and 2020.
According to research by the Accenture Cyber Investigative and Forensic Response (CIFR) and Cyber Hacker Intelligence (ACTI) teams, as of late March 2021, the WastedLocker iteration of ransomware had affected at least three companies, including a U.S. transportation and logistics organization, Consumer Goods Organization of America and Global Manufacturing Organization. Back in December 2020, freight giant Forward Air was attacked. On December 15, 2020, Forward Air Corporation detected a ransomware incident that affected its operations and information technology systems, causing delays in service to many customers. Immediately upon discovering the incident, the company initiated response protocols, launched an investigation, and hired cybersecurity and forensics professionals to provide the services. The Hades ransomware gang behind the attack began operating as a manual attack on businesses about a week ago.
When encrypting the victim’s files, the attacker creates a file called “HOW-TO-DECRYPT- [extension] .txt”, which is similar to that of the REvil ransomware, and an analysis published by Awake Security raised the possibility that advanced hackers could operate under the guise of Hades, citing the Hafnium domain, which was compromised by Identified as an indicator of attack within the timeline of the Hades attack. Hafnium was behind the ProxyLogon attack on vulnerable Exchange servers earlier this year.
Secureworks said the hacking group uses TTPs unrelated to other ransomware operators, saying the absence of Hades in the underground black market and marketplace likely means Hades operates as custom ransomware rather than ransomware-as-a-service (RaaS).
GOLD WINTER targets virtual private networks and remote desktop protocols to gain an initial foothold and maintain access to compromised environments, using it to achieve persistence through tools like Cobalt Strike. In one example, attackers disguised a Cobalt Strike executable as the CorelDRAW graphics editor application to mask the file’s attack properties, the researchers said.
In the second example, Hades was found to utilize SocGholish malware (usually associated with the GOLD DRAKE group) as an initial access vector. In this attack, users are tricked into visiting an infected website, using social engineering themes to simulate browser updates to trigger malicious downloads without user intervention.
Hades replicated the ransom note model of other competing groups such as REvil and Conti.
Another new technique involves communicating using the Tox instant messaging service, not to mention using a Tor-based website tailored for each victim, rather than leveraging centralized leak sites to expose data stolen from victims. Each website contains a victim-specific Tox chat ID, which is used for communication.
Ransomware groups are often opportunistic, and they target any organization that might be extorted and potentially pay the ransom. However, GOLD WINTER’s attack on a large North American manufacturer shows that the group is an organization specifically looking for high-value targets.
The Links: G150XG03 V1 MDR250A40