Researchers claim to have uncovered the origins of Hades ransomware's operators, as well as the unique tactics, methods, and procedures (TTPs) they use in their attacks.
The Hades ransomware initially appeared in December 2020, following a series of attacks on a variety of institutions, but limited information about the culprits has been released to date.
Gold Winter has been identified as the threat group behind the Hades ransomware, according to Secureworks' Counter Threat Unit (CTU). They also disclosed data about Gold Winter's actions that set it apart from other similar threat organizations, implying that it is a financially driven, most likely Russian-based "big game hunter" after high-value targets, primarily North American manufacture.
The researchers stated, “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution.”
“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite the use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication”
According to the researchers, the investigation of Gold Winter showed TTPs that were not found in other ransomware families, with some showing resemblance but with uncommon characteristics added.
As per the researchers, GoldWinter:
- It names and shames victims, but it doesn't employ a centralized leak site to make stolen information public. Instead, Tor-based Hades websites appear to be personalized for each victim, including a victim-specific Tox chat ID for conversation. Tox instant messaging is a technique CTU researchers have ..
Support the originator by clicking the read the rest link below.
