Skip to main content

Hades Ransomware

Hades is a human-operated ransomware tool used in targeted attacks on large organisations.

Threat ID:
CC-3810
Category:
Ransomware
Threat Severity:
Medium
Threat Vector:
Insecure network
Published:
1 April 2021 2:55 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Hades is a human-operated ransomware tool used in targeted attacks on large organisations.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

Hades is a ransomware family used by the Indrik Spider Advanced Persistent Threat (APT) group, also known as Evil Corp, in targeted attacks. Hades is an evolution of the group's WastedLocker ransomware, developed as an attempt to evade sanctions imposed on the group by the US government. Hades has significant code overlap with WastedLocker but includes code obfuscation and minor feature changes. 

Delivery

Hades’ primary initial access into a network is through internet-facing systems that use Remote Desktop Protocol (RDP) or by accessing Virtual Private Networks (VPNs) with legitimate credentials.

Indrik Spider is also known to deliver malware via fake software updates displayed on compromised websites. In one reported case a Hades deployment has been observed following exploitation of the ProxyLogon Exchange vulnerabilities.

Activities

Once initial network access has been achieved the group maintains persistence and command and control (C2) communications using Cobalt Strike and Empire beacons. Credentials are harvested from the system or manually enumerated to escalate privileges.

After escalating privileges the group evades detection by clearing event logs, terminating antimalware tools and disabling Windows audit logging. Lateral movement between hosts is achieved using the obtained credentials and RDP.

Indrik Spider may exfiltrate data to cloud infrastructure under the group's control before deploying Hades ransomware.

When Hades is executed it deletes shadow copies and encrypts files, appending a unique filename extension in each case. A ransom note named HOW-TO-DECRYPT-[extension].txt is saved to the affected system and asks users to navigate to a Tor dark web site for payment instructions.

Security researchers have identified a domain name associated with the Hafnium APT in the timeline of a Hades attack, suggesting that there is either an advanced actor using the Hades name or that multiple actors compromised the same system by coincidence.

Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection, NHS Digital advises that:

  • Critical data is frequently saved in multiple backup locations.
  • At least one backup is kept offline at any time (separated from live systems).
  • Backups and incident recovery plans are tested to ensure that data can be restored when needed.
  • User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
  • Infected systems are disconnected from the network and powered down as soon as practicable.
  • Any user account credentials that may have been compromised should be reset on a clean device
  • Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Additionally, to prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domain names:

  • currentteach[.]com
  • newschools[.]info

IP addresses:

  • 185[.]162[.]131[.]99
  • 185[.]250[.]151[.]33
  • 185[.]63[.]253[.]131
  • 8[.]208[.]22[.]215
  • 82[.]148[.]28[.]9
  • 8[.]208[.]16[.]206
  • 119[.]18[.]58[.]41
Host indicators

File hashes (SHA-256):

  • e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0
  • ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
  • 0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00
  • fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
  • 1f7b65834408fad403f4959f3c265751c09dd1d55350a68b1c02b603c145fe48

Last edited: 1 April 2021 4:44 pm