Hades Ransomware

Hades Ransomware

Introduction: Hades ransomware, also known as Phoenix Locker, emerged in December 2020 as a private ransomware operated by “Evil Corp,” the group responsible for WastedLocker. Known for its agility and hands-on approach, Hades targets various industries, operating as a private ransomware rather than through Ransomware-as-a-Service (RaaS).
Targets: Hades ransomware targets a range of industries, including healthcare, manufacturing, education, government, finance, and professional services. However, it avoids targeting entities within the Commonwealth of Independent States (CIS).
Propagation: Hades ransomware is deployed through Cobalt Strike or similar frameworks, email phishing, and brute force attacks against Remote Desktop Protocol (RDP) services. The operators are also known to target vulnerabilities, including ProxyShell (CVE-2022-34523).

Technical Details:

  • Codebase: Hades is a 64-bit compiled version of WastedLocker, showing significant code and functionality overlaps.
  • Variants: A variant named ‘Phoenix Locker’ surfaced in March 2021, believed to be a rebranded version of Hades with minimal changes.
  • UAC Bypass: Hades employs a User Account Control (UAC) bypass from the UCME product.
  • Execution: Unlike other Evil Corp ransomware, Hades does not use Alternate Data Streams (ADS) during its execution.
  • Storage of Key Information: Hades stores key information in each encrypted file, differing from WastedLocker and Bitpaymer, which store it inside a ransom note.
  • Communication: Victims are instructed to contact attackers via the TOX messenger, with each ransom note containing a unique, victim-specific TOX-ID.

Detection Strategies: EDR is effective in identifying and preventing malicious activities related to Hades ransomware. For those without this platform, a multi-layered approach is recommended:

  1. Security Tools:
    • Utilize anti-malware software or security tools capable of detecting and blocking known ransomware variants using signatures, heuristics, or machine learning algorithms.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic to identify indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits and assessments to identify vulnerabilities in the network and ensure that all security controls are effective.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices, emphasizing the identification and reporting of suspicious emails and other threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in case of an attack.

Mitigation Measures: For EDR customers, the EDR can return systems to their original state using either the Repair or Rollback feature. For those without EDR , the following steps can help mitigate the risk of Hades ransomware attacks:

  1. Employee Education:
    • Train employees on ransomware risks, phishing email identification, and the avoidance of malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish regular BDR processes, testing backups stored offsite for quick recovery.

A comprehensive approach, combining preventive measures, employee education, and recovery strategies, is crucial for effectively mitigating the risk of Hades ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved