Hades
Description
Hades is a ransomware group first observed in December 2020, believed by several threat intelligence firms to be operated by, or closely linked to, the Evil Corp cybercrime syndicate. The group has primarily targeted large enterprises in the United States, Canada, and Germany, conducting big-game hunting operations. Hades is not known to operate as an open Ransomware-as-a-Service (RaaS) platform; instead, attacks appear to be conducted by the core operators. It uses a double-extortion model, encrypting systems and threatening to leak stolen data via a Tor-based portal. The ransomware payload is typically deployed after extensive network reconnaissance and lateral movement, often through compromised VPN credentials and exploitation of exposed services. Encrypted files are appended with the .hades extension, and ransom notes direct victims to unique Tor portals for negotiation. Notable sectors affected include manufacturing, transportation, and consumer goods.
| External Analysis |
| http://www.secureworks.com/research/threat-profiles/gold-winter |
| https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp |
| https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/ |
| https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/ |
| https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 |
| https://killingthebear.jorgetesta.tech/actors/evil-corp |
| https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf |
| https://twitter.com/inversecos/status/1381477874046169089?s=20 |
| https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware |
| https://www.accenture.com/us-en/blogs/security/ransomware-hades |
| https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities |
| https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/ |
| https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ |
| https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox |
| https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions |
| https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure |
| https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf |
| Urls |
Screen |
| http://ixltdyumdlthrtgx.onion |
|
| Chat servers |
Screen |
| http://m6s6axasulxjkhzh.onion/ |
|