Security experts have linked the Hades ransomware operation to the state-backed Hafnium group behind early attacks on Microsoft Exchange servers

The ransomware crew was responsible for attacks on truck giant Forward Air and a handful of others It has been linked to the infamous Russian cybercrime operation Evil Corp (Indrik Spider) as a new variant of the WasterdLocker ransomware helping the group intended to escape sanctions that would prevent victims from paying

However, a new report from Awake Security claims to have found a domain used for command and control in a Hades attack in December 2020, just before the zero-day Exchange server attacks were discovered becomes

“Our team was called in after the compromise and the encryption to review the situation In this case, a hafnium domain was identified as an indicator of a compromise within the timeline of the Hades attack, “said Jason Bevis, VP of Awake Security

“In addition, this domain was assigned to an Exchange server and was used for control and monitoring in the days before the encryption event”

He claimed there were two possibilities: an advanced threat actor was operating under the guise of Hades, or several independent groups happened to endanger the same environment due to a lack of security

Other findings mark Hades out as an unusual ransomware group Very few victims have been identified and most appear to be from the manufacturing sector

Bevis also noted “very little sophistication” in the leak sites the group set up, whose Twitter account, a page in hack forums, and pagebin and hastebin pages were all subsequently removed

“As incident responders know, it is common for ransomware actors to set up leaks for their data What is interesting about Hades, however, is that they used methods for both their leaks and their drop sites that would likely be removed within a very short time, ”he argued

“We know that the actor would get ransom in the range of 5 to 10 million USD has requested and has been slow to respond to some people In some cases, they may not have responded at all A Twitter user even claimed TA never replies “If only a few organizations were attacked, why would it take so long to respond to ransom requests ? ” Was there another possible motive here? Why haven’t we seen Hades since then? “

Bevis also noted that the data leaked on the websites is far less impactful than the information the group actually stole, which relates to detailed manufacturing processes

The report also pointed to residual activity from the TimosaraHackerTerm (THT) ransomware group in some Hades victim environments a few weeks before their attacks, including using Bitlocker or BestCrypt for encryption, connecting to a Romanian IP address, and using it from VSS Admin to delete local computer shadow copies


World news – FI – Hades ransomware related to hafnium and exchange attacks