The Awake Labs team has analyzed Hades ransomware and the associated cyberattacks at the end of 2020 and say there are two possibilities: either there is an advanced persistent threat (APT) operating under the guise of Hades, possibly Hafnium; or, several groups compromised the same environments around the same time.
In one Hades ransomware attack, the Awake team saw that attackers used a Hafnium domain.
Hafnium is an APT behind zero-day attacks on Microsoft Exchange servers that Microsoft links to the Chinese government.
Moreover, the researchers say the domain was associated with an Exchange server and was used for command and control prior to encryption.
Based on another analysis by Awake, this domain was first seen in a Hades attack in December 2020.
Awake researchers also found evidence of other threat actors during attacks with Hades.
According to Awake, they found the following artifacts belonging to the TimosaraHackerTerm (THT) ransomware group:
- VSS Admin was used to clear shadow copies of the local machine
- Bitlocker or BestCrypt was used for encryption
- External IP connection was made to an IP address in Romania – 185[.]225[.]19[.]240
- The IP address from Romania was associated with two new files tracked on VirusTotal.
Hades gang mainly targets organizations in manufacturing, especially in automotive supply chain and insulation products sectors. Hades operators ask between $5 to $10 million in ransom.
Hades hackers often use tools of espionage-related threat actors, according to Awake Labs.
Researchers said the attackers used valid accounts, including privilege admin accounts and service accounts.
“We also are aware of at least one environment where Mimikatz was used as a method to extract credentials,” according to Awake. “This was the same environment with the file winexesvc.exe on the Exchange system where the Hafnium domain was identified.”
“The Hades actors searched local file systems and databases to find files of interest and sensitive data prior to exfiltration,” said Awake researchers. “They also searched and collected data from network shares on remote systems. Common targets of this were accessible shared directories on file servers. Awake identified these activities on multiple systems by analyzing the ShellBags registry artifact.”
All in all, Awake researchers say Hades operators were unlike other ransomware gangs: “almost amateurish in a sense, while at the same time showing the type of sophistication and obfuscation that is more the forte of nation-state-based APT,” explained researchers from Awake, in a blog post on Monday. “Our ‘spidey sense’ certainly went off.”