Hades ransomware has lately been in the daily news and created devastation in its wake. And,Hafnium too known from the most recent attacks on Microsoft Exchange Servers.
Researchers surmise that the Hafnium APT group might be operating under the disguise of Hades. One of the findings that brought them to this conclusion is that in one of Hades’s attacks, an IoC was identified to be a Hafnium domain within corresponding timelines. This was spotted in only one of the Hades related-cases.
- The victim environment of Hades has also found to correlate with artifacts from the TimosarHackerTeam (THT) in several cases.
- Crowdstrike stated that Hades is just a 64-bit compiled strain of Wastedlocker, propagated by the Evil Corp threat actor. Similarities have been spotted in ransom notes of Hades and REvil
- Hades doesn’t use its own malware and thus, might be working with other threat actors. The ransomware is suspected to be leveraging various Ransomware as a service
Although a relatively new addition to the threat landscape, Hades has been unrelentingly causing chaos across the cyber world. Although Hades might have a potential connection with Hafnium, it is too soon to say that they are run by the same operators. Hades also shares IoCs with other threat actors but no concrete evidence has been found to link the ransomware group with another. Guess we’ll just have to wait.