A ransomware group that targets billion-dollar companies — but that has stubbornly defied attribution consensus among cybersecurity researchers — has claimed at least seven victims since its discovery late last year.
What’s more, it has taken additional steps in an apparent bid to baffle investigators who have tried to pin down who, exactly, the operators are, according to Accenture Security research released Tuesday.
The update on the operators of the self-proclaimed Hades ransomware variant adds to its mystery as much as it subtracts from it.
Accenture said it “is not yet able to confidently make attribution claims,” though other researchers have variously described Hades as a new group, suggested it is connected to a wel known Russian ransomware gang, or linked the Hades activity to a Chinese nation-state hacking outfit thought to be behind this year’s Microsoft Exchange Server attack.
What Accenture says it knows is this: First, the Hades operators have, since a March report, targeted new victims in the consumer goods and services, insurance and manufacturing and distribution industry sectors.
Second, Accenture says it has determined with moderate-to-high confidence that the operators have added the Phoenix Cryptolocker variant to their arsenal, “possibly to deter attribution claims or campaign links.” Third, while the Hades operators have been consistent in their tactics, targeting and procedures, “some unique and destructive actions were observed across intrusions, such as targeted enumeration of cloud environments and destruction of cloud-native backups or snapshots.”
Lastly, Accenture says it is moderately confident that the operators don’t use an affiliate model or offer ransomware as a service, which are increasingly popular ways for ransomware gangs to make extra money.
The insights into Hades, first spotted in December, arrive just as some prominent ransomware groups are undergoing a shakeup. DarkSide, whose ransomware afflicted Colonial Pipeline, said it was disbanding following massive negative publicity and law enforcement attention from the May attack. The burgeoning Avaddon gang likewise disappeared this month under mysterious circumstances.
It’s possible both groups are simply rebranding. In March, CrowdStrike said Hades is a successor to WastedLocker, the ransomware used by the Russian gang Evil Corp. The Treasury Department had sanctioned Evil Corp in a bid to forbid ransom payments to the organization.
Acccenture sees a number of potential ransomware trends in its research.
“We think this may be an indicator of a shift in approach where certain ransomware operators are not just evolving their Tactics, Techniques and Procedures (TTPs), but they’re also quickly adapting their operations to changes in the legal and regulatory landscape — to increase the likelihood of payment from victims,” the Accenture cyber investigations, forensics and response team said in an email to CyberScoop. “Based on recent activity by Hades operators, this approach may also be taken to deter or blur attribution for specific attacks or campaigns.”