leowolfert - Fotolia

Mysterious Hades ransomware striking 'big game' enterprises

CrowdStrike reported Hades is tied to Evil Corp, but Awake Labs discovered a possible connection to Hafnium, a Chinese nation-state group behind initial Exchange Server attacks.

A new ransomware variant known as Hades has been hitting large enterprises, and threat researchers have cited connection to two possible threat groups: a Chinese nation-state group and an infamous Russian cybercrime gang.

Awake Security, a division of Arista Networks, published a blog post Monday about Hades ransomware, which was first discovered in late 2020 in attacks against multiple large enterprises, including major U.S.-based logistics company Forward Air. Awake Labs researchers observed a "possible" connection between Hades ransomware and Chinese nation-state group Hafnium, which Microsoft said was behind the initial attacks against Exchange Server vulnerabilities disclosed in early March.

The blog said that while it was difficult to identify an initial network access point for Hades ransomware attacks, Awake observed a connection in one specific incident response case.

"Our team was pulled in after the compromise and encryption to review the situation and in this one case a Hafnium domain was identified as an indicator of compromise within the timeline of the Hades attack," Awake Labs vice president Jason Bevis wrote.

In addition, Bevis said the identified Hafnium domain "was associated with an Exchange server" and that an unnamed third-party forensics firm connected the domain to a Hades attack in December 2020, one month before when Exchange Server attacks were believed to have started in January of this year.

In an email, Bevis told SearchSecurity that the incident occurred in early December, and Awake doesn't have enough forensic data to conclusively say the attack exploited ProxyLogon or the other Exchange vulnerabilities. He said Awake determined the Hafnium domain "was seen beaconing from the Microsoft Exchange environment."

While the post does not attribute Hades to Hafnium -- Bevis wrote that there could have been multiple threat actors compromising the victim's environment -- Awake Labs published the information "in case this intelligence is relevant to future Hades attacks."

Awake's post on Hafnium contrasts an earlier report by CrowdStrike that attributes Hades ransomware to the Russian cybercrime group Evil Corp, also referred to by CrowdStrike as Indrik Spider.

Evil Corp is known for the banking trojan Dridex, which was used widely between 2014 and 2020, as well as the $5 million reward the U.S. Department of State put up for information leading to the arrest and/or conviction of alleged leader Maksim Yakubets in 2019.

Maksim Yakubets wanted poster
Maksim Yakubets, the alleged mastermind of Russian cybercrime gang Evil Corp, is wanted by the Department of Justice.

In a March 17 post, CrowdStrike called Hades an evolution of Evil Corp's WastedLocker ransomware, which itself is a successor to BitPaymer ransomware. CrowdStrike researchers based their findings on shared functionality and "significant code overlap."

CrowdStrike declined to comment on Awake's research. SearchSecurity asked Bevis about CrowdStrike's report and the WastedLocker parallels.

"There are TTPs [tactics, techniques and procedures] from multiple actors, including WastedLocker, but also REvil and TimosaraHackerTeam that were observed in our incident response engagements. We believe the Hades gang is in fact using multiple ransomware-as-a-service solutions as part of their attacks," he said.

Accenture Security has also tracked Hades ransomware activity. In its blog on March 26, the company said the ransomware has hit at least three large enterprises seeking high ransoms, which was an indicator of "big game hunting" or targeting multinational corporations. While the blog post cited CrowdStrike's report on the Evil Corp connection, Accenture Security itself did not make an attribution case.

A spokesperson for Accenture told SearchSecurity that the company couldn't add any clarity on attribution, but they're continuing to track Hades activity.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

DOJ creates ransomware task force to combat digital extortion

Dig Deeper on Threats and vulnerabilities