Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Hades Ransomware Gang Linked to an Exchange Attack

Awake Security Finds Connection Between Hafinum Group and Hades
Hades Ransomware Gang Linked to an Exchange Attack

Researchers at Awake Security say at least one attack launched by the operators of Hades ransomware has a connection to the China-linked Hafnium group waging attacks on vulnerable Exchange servers.

See Also: OnDemand | Defining a Detection & Response Strategy

On March 2, when Microsoft issued four patches for vulnerabilities in on-premises Exchange servers, the company said a Chinese gang it dubbed "Hafnium" was responsible for a series of attacks that exploited the flaws. But other researchers have said several cyber gangs were responsible.

As of Thursday, more than 92% of vulnerable servers had been patched or mitigated, Microsoft said in an update (see: Microsoft: Exchange Ransomware Activity 'Limited' So Far).

The Hades Connection

Awake Security made the connection between Hafnium and a Hades ransomware attack while investigating a December 2020 incident. The researchers say they found a Hafnium domain identified as an indicator of compromise within the timeline of a Hades attack.

"The use of a Hafnium IOC within an Exchange environment leads us to make the connection to Hafnium specifically," says Jason Bevis vice president of the Awake Labs unit of Awake Security.

This incident occurred before the security consulting firm DeVCore began investigating the Exchange flaws and then shared the results with Microsoft.

"We only saw this in one of the multiple Hades related-cases we were engaged in," Bevis says. "We do not have any evidence yet on the use of Hades in other Exchange-related attacks. But we are continuing to investigate this."

Crowdstrike disagrees with Awake Security's final analysis, saying that based on code overlap, Hades is a variant of WastedLocker, which would mean it is spread by Evil Corp, also known as Indrik Spider.

"Hades is merely a 64-bit compiled variant of WastedLocker with additional code obfuscation and minor feature changes," Crowdstrike said in a March 17 report.

Bevis counters by saying: “We are aware of the report, and while we have observed IoCs associated with Evil Corp, as the post alludes, we saw a number of other TTPs from other actors."

Code from the TimosaraHackerTerm gang and other groups were also found in the Hades attacks, Awake Security says.

Hades' Methods

Awake Security's researchers conclude that the attackers behind the Hades ransomware attacks do not use their own malware and may also work with other groups. The attackers focus on hitting a few targets in specific industries, they say.

"We believe the Hades group is leveraging multiple [ransomware-as-a-service] or other groups as part of their attack," Bevis says.

The Hades group focuses many of its attacks on manufacturing firms, specifically those in the automotive supply chain sector located in U.S. Canada, Germany, Luxemburg and Mexico, Awake Security says. The gang also attempts to extract ransom payments, ranging from $5 million to $10 million, the researchers say.

Last week, Accenture reported that a previously unknown group had used Hades ransomware in attacks against three U.S. companies in the transportation, consumer products and manufacturing sectors (see: Hades Ransomware Targets 3 US Companies).

"We believe that the Hades group had a clear motive of targeting a few companies to obtain specific data out of each organization," Bevis says. "Some of this data focused on third-party relationships within the industry, while other data was associated with specific manufacturing product and process development and functions."

The Hades gang steals credentials and related corporate data after moving laterally through the system, identifying accessible shared directories on file servers, the Awake Security report says.

Like many ransomware gangs, the operators behind Hades run sites where they leak some victims' data in an attempt to shame the targets to pay the ransom or run the risk of seeing all their data publicly exposed, Awake Security says.

The researchers also found several instances where the operators of Hades wiped a victim's backup storage system.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.