Hades Ransomware Operators Use Distinctive Tactics and Infrastructure

Hades Ransomware Operators Use Distinctive Tactics and Infrastructure

Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks® incident response (IR) engagements in the first quarter of 2021 provided Secureworks Counter Threat Unit™ (CTU) researchers with unique insight into the group’s use of distinctive tactics, techniques, and procedures (TTPs).


The financially motivated threat group operating the Hades ransomware is known as GOLD WINTER. Some third-party reporting attributes Hades to the HAFNIUM threat group, but CTU™ research does not support that attribution. Other reporting attributes Hades to the financially motivated GOLD DRAKE threat group based on similarities to that group’s WastedLocker ransomware. Despite use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication.


Ransomware groups are typically opportunistic: they target any organization that could be susceptible to extortion and will likely pay the ransom. However, GOLD WINTER’s attacks on large North America-based manufacturers indicates that the group is a “big game hunter” that specifically seeks high-value targets.


Unique TTPs


Analysis of these IR engagements revealed TTPs not associated with other ransomware families. Some of the tactics and tools may be similar to those used by other threat groups, but GOLD WINTER added some unusual aspects.


‘Tox’-ic conversations


Hades’ absence on underground forums and marketplaces suggests that it is operated as private ransomware rather than ransomware as a service (RaaS). GOLD WINTER “names and shames” victims after s ..

Support the originator by clicking the read the rest link below.