Serviceteam IT Security News

Security experts have linked the Hades ransomware operation to the Hafnium state-backed group that was behind early attacks on Microsoft Exchange servers.

The ransomware crew was responsible for attacks on trucking giant Forward Air and a handful of others. It has been linked to infamous Russian cybercrime operation Evil Corp (Indrik Spider), as a new variant of its WasterdLocker ransomware, designed to help the group escape sanctions that would discourage victims to pay up.

However, a new report from Awake Security claims to have found a domain used for command-and-control in a Hades attack in December 2020, just before the zero-day Exchange server attacks were discovered.

“Our team was pulled in after the compromise and encryption to review the situation and in this one case a Hafnium domain was identified as an indicator of compromise within the timeline of the Hades attack,” explained Awake Security VP, Jason Bevis.

“Moreover, this domain was associated with an Exchange server and was being used for command-and-control in the days leading up to the encryption event.”

He claimed there are two possibilities: an advanced threat actor is operating under the guise of Hades, or multiple independent groups coincidentally compromised the same environment, due to poor security.

Other findings mark Hades out as an unusual ransomware group. Very few victims have been identified, and most seem to come from manufacturing sectors.

Bevis also noted “very little sophistication” in the leak sites set up by the group, with its Twitter account, a page on Hackforums, and Pagebin and Hastebin pages all subsequently removed.

“As incident responders know it is common for ransomware actors to set up leak sites for their data, but what was interesting about Hades is that they used methods for both their leaks and their drop sites that would likely be taken down within a very short time,” he argued.

“We know the actor requested amounts in the range of $5 to $10m of ransom and was very slow to respond to some individuals. In some cases, they may not have responded at all. In fact, one Twitter user even claimed ‘TA never responds.’ If there were only a few organizations attacked, why would it take so long to respond to requests for ransom? Was there another potential motive here? Why haven’t we seen Hades since?”

Bevis also noted that the data leaked on the sites is far less impactful than the information the group has actually stolen, which relates to detailed manufacturing processes.

The report also pointed to remnants of activity from the TimosaraHackerTerm (THT) ransomware group in some Hades victim environments a few weeks prior to the latter’s attacks. These include use of Bitlocker or BestCrypt for encryption, connection to a Romanian IP address and use of VSS Admin to clear shadow copies of the local machine.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *