Accenture Describes Highly Targeted Campaign
A previously unknown threat group is deploying Hades ransomware as part of an ongoing campaign that has already targeted three U.S. companies, Accenture’s cyberthreat intelligence group reports.
The three victims, which Accenture did not identify, are in the transportation, consumer products and manufacturing sectors. They each have revenue of over $1 billion.
“Based on the intrusion data from incident response engagements, the [Hades] operators tailor their tactics and tooling to carefully selected targets and run a more “hands on keyboard” operation to inflict maximum damage and higher payouts,” Accenture says.
The Steps Involved
The ransomware operators target remote desktop protocols or virtual private networks, according to the research report, which says they harvest legitimate credentials. The attackers then move to gain persistence in a targeted network using tools such as Cobalt Strike and Empire (see: Ransomware-Wielding Gangs Love to Phish With Trojan Loaders).
The Hades operators then secure privilege escalation through manual enumeration of harvested credentials, according to the report. The attackers then perform several security evasion techniques, such as disabling antivirus programs, Accenture researchers say.
In the final stage of the attacks, the operators deploy Hades ransomware through an attacker-controlled server. “In addition to data theft, threat actors deploy Hades ransomware to encrypt files identified on the victim network. Hades operators leverage this approach for ‘double-extortion’ tactics,” the report notes.
Once files have been encrypted, the attackers display a ransom note, instructing victims to download the Tor website, open a specific URL and follow further instructions to pay the ransom for decrypting the targeted files.
Hades ransomware was previously tied to an attack on a trucking and freight logistics company, Forward Air, according to Bleeping Computer.
Accenture researchers say it’s unclear if the ransomware operates under an affiliate model or is distributed by a single group.
Links to Other Strains
Hades’ ransom notes are similar to those used by the REvil group, Accenture says. REvil also targets large companies for higher payouts (see: REvil Ransomware Can Now Reboot Infected Devices).
“The differentiating factors in the ransom notes are the operators’ contact information and the formatting of the ransom notes,” according to the Accenture report. “While the ransom notes are similar, we do not have any evidence to suggest the threat groups or operations have any overlap at this time.”
But a March report by security firm CrowdStrike says Hades appears to be a successor to WastedLocker ransomware, which is believed to be employed by Evil Corp, a criminal group that has been active since 2014.
CrowdStrike notes Hades shares the majority of its functionality, including multistage presence and encryption, with WastedLocker.
To reduce the risks of falling victim to a Hades attack or other ransomware attacks, organizations should deploy endpoint detection and response, implement a robust password policy, deploy multifactor authentication and regularly patch and inspect firewalls, Accenture advises.