Researchers have revealed the identity of the Hades ransomware’s operators after discovering a new adversary organization called Gold Winter. Read on to know more…
The operators of the Hades ransomware have been identified, according to a group of researchers. The researchers recently revealed the distinctive Tactics, Techniques, and Procedures (TTPs) the ransomware operators used in their attacks. Hades ransomware was initially discovered in December 2020, following repeated attacks on several organizations.
Gold Winter, the newly found adversary, is suspected of being the operator behind the Hades ransomware, according to researchers from the Counter Threat Unit (CTU) at Secureworks. This gang is suspected to be based in Russia and is financially motivated, according to the researchers. It is looking for high-value targets, notably North American manufacturers.
The findings are based on Secureworks’ incident response engagements in the first quarter of 2021. The researchers wrote “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution,”
“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication.”
Other reports from third-party security firms linked the Hades ransomware to the financially motivated threat group Gold Drake, citing similarities to the WastedLocker ransomware developed by that group. Despite the fact that Hades and WastedLocker used the same API calls, the CryptOne crypter, and some of the same commands, CTU researchers concluded that they belonged to two different groups.
Distinctive TTPs of Gold Winter
CTU’s examination of Gold Winter revealed no TTPs that were similar to those identified in other ransomware families, but other experts made a variety of assertions about it. The following are the revelations concerning the Gold Winter group produced by CTU researchers:
This group does not use a single leak site to name and shame victims. Instead, each victim is given a Tor-based website with a unique Tox chat ID for conversation.
To deceive researchers, the ransomware gang may employ copycat ransom notes from well-known families like REvil and Conti. The researchers wrote “Gold Winter may use lookalike ransom notes to confuse researchers or perhaps to pay homage to admired ransomware families,”
It deletes volume shadow and substitutes randomly generated five-character strings for encrypted file extension and victim ID with words that use two separate initial access vectors. The researchers noted “Based on the definition of this term, perhaps the threat actors view their ransomware activity as a way to prompt organizations to improve their security,”
The Gold Winter group uses two distinct initial access vectors. SocGholish malware disguised as a phoney Chrome update and single-factor authentication VPN access.
A Brief Conclusion
Gold Winter appears to be a private ransomware group or a front for another threat group attempting to deceive law enforcement and researchers. The latest findings shows that threat actors may be attempting to look different on purpose, or that their attack strategies are merely evolving. Only time can reveal if this is true.
Prior to encryption process, it is crucial for enterprises to diligently respond to early signs of threat actor activity. As threat actors’ TTPs evolve, staying one step ahead of them becomes increasingly difficult. When it comes to investigating pre-infection activities, organizations do not have the luxury of time.