Hades

1. Introduction

This module provides an overview of Hades ransomware, including a demonstration of the malware being executed on a Windows OS.

2. What is Hades?

Hades is the successor to WastedLocker which is a double extortion ransomware family thought to be used by the APT group EvilCorp (self-given name). They are also known as IndrikSpider (by Crowdstrike), GoldWinter (by Secureworks), and Gold Drake (also by Secureworks). The group emerged in 2014 and has been responsible for many attacks against a variety of targets. Their motive appears to be monetary gain, with their typical targets being large organizations — this particular approach is known as big game hunting. The link between Hades and WastedLocker was discovered by Crowdstrike — which you can read more about here.

In December 2019, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) introduced sanctions to combat the group — one of which prevented any large payments to EvilCorp, thus making their ransom demands futile. After some downtime, Hades emerged at the end of 2020. In March, Crowdstike attributed Hades to EvilCorp due to it having a major code overlap with WastedLocker, however, there are differences, such as:

• Hades is a 64-bit executable, not 32-bit.

• More code obfuscation to evade signature-based detection.

• Uses system calls in place of the Windows API calls.

• Uses a different method to bypass UAC — both methods are open-source exploits.

• One ransom note per folder instead of one per file.

• Key data is stored in encrypted files rather than a ransom note.

• No longer uses the .bin alternate data stream to hide files.

The Hades ransom note is not personalized for each victim, which was also the case with the WastedLocker note. It promises to restore files if the victim complies, using the assurance that they need their honorable reputation to encourage victims to pay up. It also offers to decrypt one file for free to demonstrate that the files can be restored. Lastly, the note states that data will be leaked publicly if the victim does not cooperate. Usually, the leak is delayed for some time to make it difficult to attribute to them.

Below is an example of one of the landing sites for the victim to get in contact with the attacker. It also shows an example of the ransom note. As you can see from the URL, the victim is instructed to download a Tor browser to access this hidden website.

Recently, security researchers at Awake Labs have discovered other possible variants of the Hades ransomware which indicate that other APT groups, such as REvil and Hafnium, might be using it.

Indicators include:

• Identical wording and/or formatting in ransom notes to those used by other groups.

• Different contact information.

• Indicators of compromise in the same environments before the Hades infection.

Some potential indicators of compromise by Hafnium were discovered around the same time that an organization was infected with Hades and data was leaked. This suggests that either Hafnium was using Hades as a guise to cover their true motives, or two different groups attacked the organization at the same time. It is still unclear which groups or how many groups use the Hades ransomware currently.

3. Typical Attack Vectors

EvilCorp uses various techniques to infiltrate a network and extract data before executing the Hades ransomware. Some of the known attack vectors used by EvilCorp to infiltrate their victims' networks are as follows:

• Public-facing RDP service: Any service exposed to the internet which allows a user to authenticate also welcomes anyone else to attempt to authenticate to or exploit the service. RDP should not be publicly accessible unless it is absolutely unavoidable.

• Valid VPN credentials and internal RDP services: Similar to the previous point, if the attacker can access the organization's VPN, they may have access to the entire internal network, including internal RDP servers.

• Fake software updates on Compromised Websites: First, the attacker compromises a website that provides updates for a particular software that the organization uses. Then, users who download the software update from this site may in fact be downloading EvilCorp's malware.

• Microsoft Exchange vulnerabilities such as ProxyLogon (used by Hafnium): ProxyLogon is a server-side request forgery vulnerability that allows the attacker to bypass authentication, write files, and execute arbitrary code. This method is used by Hafnium and is included here because there is some evidence that Hafnium may also be using Hades.

EvilCorp has also been known to use email phishing to gain initial access, but they have not been observed using this method to spread the Hades ransomware.

4. Attacker TTPs

EvilCorp has been observed by multiple security researchers using the following techniques to infiltrate their victims' networks, maintain persistence, and exfiltrate valuable data before launching their ransomware attack.

• Open-source exploits are used to Bypass User Account Control.

• EvilCorp often uses tools such as Cobalt Strike and Empire to maintain Command and Control with the infected host. These are typically disguised as legitimate Windows programs.

• They achieve privilege escalation by gathering credentials for Valid Accounts. Mimikatz, Cobalt Strike, and ProcDump are used to dump credentials from LSASS memory, which can reveal cached domain administrator credentials.

• Defense Evasion is achieved by escalating to Domain Administrator which allows the attacker to stop antimalware services and disable and clear Windows event logs.

• EvilCorp achieves Lateral Movement to other hosts by extensive use of CobaltStrike (which even provides a lateral movement GUI) and valid credentials. They also make use of WMI to execute commands on remote computers.

• Data is compressed (in some cases using 7zip) and exfiltrated over a C2 Channel using Empire.

• Finally, the Hades ransomware is deployed. Now the attacker has files that can be used for additional leverage against the victim. Rather than the victim simply losing the files if they do not pay, the attacker will threaten to leak the data to increase pressure on the victim — hence the term double-extortion ransomware.

When Hades is deployed on the victim host, it does the following:

1. Creates a copy of itself somewhere within the appdata folder with a random filename and no extension.

2. Relaunches itself using the /go argument. This can be used to evade antivirus by passing in malicious code as a command-line variable. Here is an example.

3. Deletes itself and its copy.

4. Unpacks and executes in memory.

5. Bypasses User Account Control.

6. Deletes shadow copies using the vssadmin.exe Delete Shadows /All /Quiet command.

7. Searches directories and network shares for files to encrypt (with exceptions to allow the computer to function normally).

8. Encrypts files.

9. Creates a file called HOW-TO-DECRYPT-[random ID].txt in each folder with encrypted files.

5. Ransomware execution

Connect to the windows06 machine via the RDP shortcut on the Desktop.

Once you have connected to the windows06 machine desktop, you should see the Hades.exe file is present. Execute this file and watch the ransomware propagate as the machine becomes infected and the files are encrypted. Observe the changes to the file extensions after the Hades payload has been executed, and read the ransom note that gets dropped onto the desktop.

Fileextensio

6. Encryption Method

Files are encrypted with dynamically generated AES-256 keys which are then encrypted with an RSA-4096 public key and appended to the encrypted files. This RSA key is hardcoded into the malware and is unique to each target. In every case, a ransom note is added to all directories containing encrypted files.

Hades lists all the logical drives attached to the system and iterates through each drive. It encrypts anything that isn't marked to be excluded by the threat actors, such as the ransomware tools themselves or system folders, to allow the computer to continue to function.

7. Security Questions

1. Which type of adversary is IndrikSpider/Evil Corp?

2. What is the name of the ransomware used by IndrikSpider/EvilCorp that Hades is believed to be based on?

3. How can the victim contact the attacker to restore their files?

4. Which tools does EvilCorp use to collect valid Domain Administrator credentials?

5. Domain Administrator credentials grant increased privileges which allow EvilCorp to disable defenses and evade detection. True or false?

6. Hades encrypts files locally — files on network shares are safe. True or false?

7. What file extension does Hades give to encrypted files?

8. What URL was provided in the ransom note?

9. What encryption standard does Hades use to encrypt files?

8. Answers

1. Black Hat (incl. Big Game Hunters)

2. WastedLocker

3. TOX Messenger

4. Mimikatz, ProcDump, CobaltStrike

5. True

6. False

7. gn9cj

8. hxxp://khfsk3ffg3av3rha.onion

9. AES-256