A group of researchers has discovered the identity of the operators behind the Hades ransomware spotted in December 2020 after attacks on multiple organizations. Newly discovered adversary as Gold Winter, which is suspected to be the operator behind the Hades ransomware.

This group is financially motivated and believed to be based in Russia. It seeks high-value targets, particularly North American manufacturers.

Other reports suggest Hades ransomware to the financially motivated threat group Gold Drake, based on similarities to the WastedLocker ransomware developed by that group. 

Despite the use of the same API calls, the CryptOne crypter, and some of the same commands, CTU researchers linked Hades and WastedLocker to two separate groups.

Unique TTPs of Gold Winter

  • This group names and shames victims,it does not use a single leak site. A Tor-based website is customized for each victim with a specific Tox chat ID for communication.
  • The group may use lookalike ransom notes of high-profile families such as REvil and Conti to mislead researchers.
  • It replaces randomly generated five-character strings for encrypted file extension and the victim ID with words that use two different initial access vectors and deletes volume shadow.

Final Thoughts

Gold Winter is apparently operating as a private ransomware group or used as a front by another threat group to fool law enforcement and researchers.