Hades Ransomware Linked to Hafnium and Exchange Attacks

Written by

Security experts have linked the Hades ransomware operation to the Hafnium state-backed group that was behind early attacks on Microsoft Exchange servers.

The ransomware crew was responsible for attacks on trucking giant Forward Air and a handful of others. It has been linked to infamous Russian cybercrime operation Evil Corp (Indrik Spider), as a new variant of its WasterdLocker ransomware, designed to help the group escape sanctions that would discourage victims to pay up.

However, a new report from Awake Security claims to have found a domain used for command-and-control in a Hades attack in December 2020, just before the zero-day Exchange server attacks were discovered.

“Our team was pulled in after the compromise and encryption to review the situation and in this one case a Hafnium domain was identified as an indicator of compromise within the timeline of the Hades attack,” explained Awake Security VP, Jason Bevis.

“Moreover, this domain was associated with an Exchange server and was being used for command-and-control in the days leading up to the encryption event.”

He claimed there are two possibilities: an advanced threat actor is operating under the guise of Hades, or multiple independent groups coincidentally compromised the same environment, due to poor security.

Other findings mark Hades out as an unusual ransomware group. Very few victims have been identified, and most seem to come from manufacturing sectors.

Bevis also noted “very little sophistication” in the leak sites set up by the group, with its Twitter account, a page on Hackforums, and Pagebin and Hastebin pages all subsequently removed.

“As incident responders know it is common for ransomware actors to set up leak sites for their data, but what was interesting about Hades is that they used methods for both their leaks and their drop sites that would likely be taken down within a very short time,” he argued.

“We know the actor requested amounts in the range of $5 to $10m of ransom and was very slow to respond to some individuals. In some cases, they may not have responded at all. In fact, one Twitter user even claimed ‘TA never responds.’ If there were only a few organizations attacked, why would it take so long to respond to requests for ransom? Was there another potential motive here? Why haven’t we seen Hades since?”

Bevis also noted that the data leaked on the sites is far less impactful than the information the group has actually stolen, which relates to detailed manufacturing processes.

The report also pointed to remnants of activity from the TimosaraHackerTerm (THT) ransomware group in some Hades victim environments a few weeks prior to the latter’s attacks. These include use of Bitlocker or BestCrypt for encryption, connection to a Romanian IP address and use of VSS Admin to clear shadow copies of the local machine.

What’s hot on Infosecurity Magazine?