Hades, the ransomware group known for targeting billion-dollar businesses, has claimed at least seven victims since its discovery late last year. Some revelations made by the Accenture Security research actually deepen the mystery surrounding the group.

What happened?

Researchers from Accenture stated that Hades operators were discovered targeting new victims in the consumer goods, services, insurance, manufacturing, and distribution industry sectors, since March.
  • The operators are using the Phoenix Cryptolocker variant, which is believed to prevent attribution claims or any link.
  • In addition, the group is using credential access via VPN and SocGholish malware, PSexec for lateral movement, Mimikatz for credential access, and Advanced IP scanner for reconnaissance, among other tools.
  • Furthermore, some unique and destructive actions were identified across various intrusions, such as targeted destruction of cloud-native backups/snapshots and enumeration of cloud environments.

Researchers stated that they are not yet able to make any strong connection to any established hacker group, and suspect that this group could be working independently.

A lone wolf

Experts have also assessed that Hades does not operate under an affiliate-based model or RaaS operation. The security firm yet did not make any attribution claims based on recent intrusion clusters.
  • The group carefully selects a target and has a unique approach to victim communication, combined with a lone wolf approach aligned with its relatively low number of known victims.
  • Based on updated intrusion data from incident response engagements, the operators tailor their tactics and run a more hands-on keyboard operation to cause maximum damage.

The deepening mystery

Earlier reports from other researchers have made different claims, attributing this group to various renowned threat actors.
  • A report from Crowdstrike linked this group to the Russian gang Evil Corp, calling the Hades ransomware a successor to WastedLocker.
  • A different report from SecureWorks linked this group to the TTPs of Gold Winter group.
  • Some third-party sources were seen linking this group to the HAFNIUM threat group and the financially motivated Gold Drake threat group, as well.


The variation in the attribution to entirely different groups makes Hades a more mysterious entity. It is possible that the group is quickly changing and adapting its TTPs. Furthermore, the recent activity by Hades is an indicator of a shift in approach to target more industries.

Cyware Publisher