A group of researchers has discovered the identity of the operators behind the Hades ransomware. Recently, they exposed the distinctive TTPs they employ in their attacks. Hades was first spotted in December 2020 after attacks on multiple organizations.
Researchers at Secureworks named the newly discovered adversary as Gold Winter, which is suspected to be the operator behind the Hades ransomware.
According to the researchers, this group is financially motivated and believed to be based in Russia. It seeks high-value targets, particularly North American manufacturers.
Other reports by some third-party security agencies linked the Hades ransomware to the financially motivated threat group Gold Drake, based on similarities to the WastedLocker ransomware developed by that group.
Despite the use of the same API calls, the CryptOne crypter, and some of the same commands, CTU researchers linked Hades and WastedLocker to two separate groups.
Unique TTPs of Gold Winter
The analysis of Gold Winter by CTU found no TTPs matching to other ransomware families, meanwhile, other experts made various claims about it. Here are the revelations made by the CTU researchers about the Gold Winter group:
This group names and shames victims, however, it does not use a single leak site. Instead, a Tor-based website is customized for each victim with a specific Tox chat ID for communication.
The group may use lookalike ransom notes of high-profile families such as REvil and Conti to mislead researchers.
It replaces randomly generated five-character strings for encrypted file extension and the victim ID with words that use two different initial access vectors and deletes volume shadow.
Gold Winter is apparently operating as a private ransomware group or used as a front by another threat group to fool law enforcement and researchers. The recent finding suggests that threat actors may be deliberately trying to find ways to look different or it's simply an evolution in their attack techniques. Only time may tell.