Unique TTPs link Hades ransomware to new threat group

Researchers claim to have discovered the identity of the operators of Hades ransomware, exposing the distinctive tactics, techniques, and procedures (TTPs) they employ in their attacks. Hades ransomware first appeared in December 2020 following attacks on a number of organizations, but to date there has been limited information regarding the perpetrators.

Today, researchers from the Counter Threat Unit (CTU) at Secureworks named Gold Winter as the threat group behind Hades ransomware. Furthermore, they shared details of notable traits in Gold Winter’s operations that distinguish it from other such threat groups and suggest it is a financially motivated, likely Russia-based “big game hunter” that seeks high-value targets, chiefly North American manufacturers.

The findings are a result of incident response engagements carried out by Secureworks in the first quarter of 2021. “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution,” the researchers wrote. “Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication.”

Hades ransomware and Gold Winter’s unique TTPs

The analysis of Gold Winter revealed TTPs not associated with other ransomware families, the researchers explained, with some that show similarities but with unusual aspects added. CTU researchers found that Gold Winter:

• Names and shames victims but does not use a centralized leak site to expose stolen data. Instead, Tor-based Hades websites appear to be customized for each victim and each website includes a victim-specific Tox chat ID for communications. The use of Tox instant messaging for communications is a technique CTU researchers have not observed with other ransomware families.
• Is known to copy ransom notes from other high-profile families such as REvil and Conti, adding unique victim identifiers and replacing websites with contact email addresses. “Gold Winter may use lookalike ransom notes to confuse researchers or perhaps to pay homage to admired ransomware families,” researchers wrote.
• Replaces randomly generated five-character strings for the victim ID and encrypted file extension with words—e.g., cypherpunk. “Based on the definition of this term, perhaps the threat actors view their ransomware activity as a way to prompt organizations to improve their security,” researchers added.
• Uses two distinct initial access vectors: SocGholish malware disguised as a fake Chrome update and single-factor authentication VPN access.
• Deletes volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command.

Golden Winter likely a private ransomware group, not RaaS

“Typically, when we see a variety of playbooks used around a particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods,”Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, tells CSO. “We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she adds.

It is also possible that Gold Winter has been organized by another threat group to throw law enforcement and researchers off their trail, Lee continues. “In that case, the threat actors may be intentionally trying to find ways to appear different. Alternatively, and most likely, the techniques could simply reflect an evolution in the threat group playbook, using new tactics and capabilities.”

Lee advises using common ransomware defense and mitigation strategies for Hades: Implement an endpoint detection and response solution, multi-factor authentication on internet-facing devices and for user applications, and effective asset management. She also recommends effective patch management, subscription to curated threat intelligence to drive awareness of emerging threats, and having a tested incident plan and team in place.