Hades Ransomware Linked to Hafnium and Exchange Attacks

Security experts have linked the Hades ransomware operation to the Hafnium state-backed group that was behind early attacks on Microsoft Exchange servers.

The ransomware crew was responsible for attacks on trucking giant Forward Air and a handful of others. It has been linked to infamous Russian cybercrime operation Evil Corp (Indrik Spider), as a new variant of its WasterdLocker ransomware, designed to help the group escape sanctions that would discourage victims to pay up.

However, a new report from Awake Security claims to have found a domain used for command-and-control in a Hades attack in December 2020, just before the zero-day Exchange server attacks were discovered.

“Our team was pulled in after the compromise and encryption to review the situation and in this one case a Hafnium domain was identified as an indicator of compromise within the timeline of the Hades attack,” explained Awake Security VP, Jason Bevis.

“Moreover, this domain was associated with an Exchange server and was being used for command-and-control in the days leading up to the encryption event.”

He claimed there are two possibilities: an advanced threat actor is operating under the guise of Hades, or multiple independent groups coincidentally compromised the same environment, due to poor security.

Other findings mark Hades out as an unusual ransomware group. Very few victims have been identified, and most seem to come from manufacturing sectors.

Bevis also noted “very little sophistication” in the leak sites set up by the group, with its Twitter ..

Support the originator by clicking the read the rest link below.