hades details

Description

Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operated by, or closely linked to, the Evil Corp cybercrime syndicate. The group has primarily targeted large enterprises in the United States, Canada, and Germany, conducting big-game hunting operations. Hades is not known to operate as an open Ransomware-as-a-Service (RaaS) platform; instead, attacks appear to be conducted by the core operators. It uses a double-extortion model, encrypting systems and threatening to leak stolen data via a Tor-based portal. The ransomware payload is typically deployed after extensive network reconnaissance and lateral movement, often through compromised VPN credentials and exploitation of exposed services. Encrypted files are appended with the .hades extension, and ransom notes direct victims to unique Tor portals for negotiation. Notable sectors affected include manufacturing, transportation, and consumer goods.

External Analysis
http://www.secureworks.com/research/threat-profiles/gold-winter
https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp
https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://killingthebear.jorgetesta.tech/actors/evil-corp
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://twitter.com/inversecos/status/1381477874046169089?s=20
https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

External Analysis

http://www.secureworks.com/research/threat-profiles/gold-winter

https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/

https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/

https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3

https://killingthebear.jorgetesta.tech/actors/evil-corp

https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf

https://twitter.com/inversecos/status/1381477874046169089?s=20

https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware

https://www.accenture.com/us-en/blogs/security/ransomware-hades

https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities

https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox

https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure

https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf

Url	Status	Screen	Uptime 30d	Health
http://ixltdyumdlthrtgx.onion	Down		0%

Url

Status

Screen

Uptime 30d

Health

http://ixltdyumdlthrtgx.onion

Down

Url	Status	Screen	Uptime 30d	Health
http://m6s6axasulxjkhzh.onion/	Down		0%

Url

Status

Screen

Uptime 30d

Health

http://m6s6axasulxjkhzh.onion/

Down