"Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims"

Researchers from Awake Security, CrowdStrike, and Accenture analyzed attacks involving the Hades ransomware and shared information on their findings in relation to the malware itself and its operators' tactics, techniques, and procedures (TTPs). Hades ransomware, which is different from the Hades Locker ransomware, uses a double-extortion tactic. This tactic involves exfiltrating a victim's data and threatening to leak the data to the public in order to pressure the victim into paying the demanded ransom. The Hades ransomware operators appear to be focused primarily on enterprises, some of which have been multi-national organizations with revenues above $1 billion. Hades has mainly impacted Germany, Luxembourg, Canada, Mexico, and the United States. Only a few industries have been targeted by the Hades ransomware operators, including consumer products, transportation and logistics, and manufacturing and distribution. The ransomware notes obtained through Hades samples demanded payments ranging from $5 to $10 million from victims. In a typical Hades ransomware attack, legitimate credentials are used to connect to Internet-facing systems via the Remote Desktop Protocol (RDP) or a Virtual Private Network (VPN). Cobalt Strike and Empire implants are also typically deployed in a Hades attack for persistence. The operators also use several scripts to perform reconnaissance, collect credentials for privilege elevation, identify additional systems in the target network, and more. This article continues to discuss key findings from the dissection of Hades ransomware attacks. 

Security Week reports "Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims"