ransom attack

Hades Ransomware Connection to the Hafnium Group

Researchers found several unique characteristics of the Hades ransomware criminal group, which appears to use the tools and techniques of multiple nation-state hackers. Based on the investigation, two possibilities were identified: the first is that the were conducting APT attack campaigns under the guise of Hades ransomware; the second is that several different groupscoincidentally attacked the same environment.

In one indicator of Hades ransomware attack activity, a domain identified as Hafnium, an APT Group, was found, and Microsoft believes that used the ProxyLogon to conduct a 0day attack on Microsoft servers.

Researchers also found evidence of other threat groups in some of the victim environments that were attacked by Hades. For example, tools pointing to the TimosaraHackerTerm (THT) ransomware group (named after a town in Romania) were found in multiple cases, most likely weeks after the Hades attack. Included are.

● VSS Admin for wiping a copy of the volume shadow from the local computer
● Encryption on the local computer using Bitlocker or BestCrypt (bcfmgr)
● Connecting an external IP to the Romanian IP 185.225.19.240
● For Indicators of Threat (IoC), a Romanian IP address was observed between October and November that had malicious behavior and was associated with two new files tracked on VirusTotal.

Hades’ toolset and attack techniques include several toolsets and methods commonly used by espionage-related threat groups. The group leveraged valid accounts in the victim’s environment, including service accounts and privileged administrator accounts used by the threat group. The researchers said that one of the group’s environments was using Mimikatz as a method of extracting credentials, which has the same environment as the file winexesvc.exe on the Exchange system that has identified the domain. Hades then moved laterally from one system to another by crossing domains for the next step in the infiltration effort.

IOCs

7d4550dd4c6996057147ecc996b14e9a
662b823d2472f494c5d539d0694cca77
9fa1ba3e7d6e32f240c790753cdaaf8e
80d7ad070dc513c7d5651c392fb86aa4
bf32d6404ee5ff905197071ef9751e67
210cc956104ece637d63ce619095a3f4
aa9d0ec490d470046f46192cf005de9e
d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b
f8fc84030c579070b36c99c836ac4b5c32bbc2c4
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
f8eb471ef1edc37b3e82b2a80a5478a110e58a34
b77d310a8abf8850958778487cd09935b642a987
d78ad6ddc56182ff295f807ad312b6a573dad9f9
9d016aa2b2caddb9d09d48256c4903e8c099f904
ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
1f7b65834408fad403f4959f3c265751c09dd1d55350a68b1c02b603c145fe48
be582632770b52fd6c4a5d375c73f150b42199e81e3c138f6fab243316ff9e07
a9e2d7c4c796eedb69f3847b44981a13e32a454d324412962a0dc825460b2c90
31443b7329b1bdbcf0564e68406beabf2a30168fdcb7042bca8fb2998e3f11c5