The group behind the high-profile ransomware attacks targeting billion-dollar companies has claimed to have infected at least seven companies since its launch late last year. It’s the latest example of how even the largest companies are not immune to ransomware attacks.
According to Accenture Security research released Tuesday, the Hades gang has also taken additional steps to obscure its true operators.
The operators of the self-named Hades ransomware variant are unknown and the recent research only added to the mystery, researchers said.
Accenture said it was not yet able to independently verify the threat actor behind Hades. But other researchers suggested it is either connected to a well known Russian ransomware gang or linked to a Chinese nation-state hacking outfit behind this year’s Microsoft Exchange Server attacks.
According to Accenture, since March, the criminals have been targeting the insurance, manufacturing, and distribution industries.
Accenture has concluded that the operators have added a variant of Phoenix Cryptolocker to their arsenal, which it believes will deter “campaign links” and “attribution claims.”
The operators of Hades have been very consistent and methodical in their tactics and targeting procedures. But they have also performed “some unique and destructive actions,” such as “targeted enumeration of cloud environments and destruction of cloud-native backups or snapshots.”
Finally, Accenture says that it is moderately confident that operators don’t offer ransomware as a service.
These insights into Hades arrive just as some prominent ransomware groups are shutting down operations or simply rebranding.
According to the cybersecurity company, there are a number of potential trends in the field of ransomware.
“We think this may be an indicator of a shift in approach where certain ransomware operators are not just evolving their Tactics, Techniques and Procedures (TTPs), but they’re also quickly adapting their operations to changes in the legal and regulatory landscape — to increase the likelihood of payment from victims,” the Accenture cyber investigations, forensics and response team said to CyberScoop. “Based on recent activity by Hades operators, this approach may also be taken to deter or blur attribution for specific attacks or campaigns.”