Threat Database Advanced Persistent Threat (APT) GOLD WINTER Cybercrime Group

GOLD WINTER Cybercrime Group

Cybersecurity researchers have reported with high confidence that a newly established hacker group that they designated as GOLD WINTER is responsible for the attack operations involving the Hades Ransomware. Hades appeared on the cybercrime stage in December 2020 and so far has been leveraged against multiple targets. Previously different infosec firms have attributed the malicious tool to various, different hacker collectives including HAFNIUM and GOLD DRAKE. Indeed, GOLD DRAKE appeared as the likely culprit due to several overlaps between Hades and their own ransomware threat named WastedLocker that include similar programming interface calls, using the CryptOne cryptor, and the existence of several identical commands in both threats. Secureworks's researchers, however, found enough distinguishing aspects about the Hades attack to set its operator as a separate threat actor. 

Unlike most ransomware operators who are somewhat indiscriminate when looking for victims, GOLD WINTER appears to have strict criteria when choosing its targets. The group goes after a small subset of high-value targets, mainly manufacturing organizations from North America. This allows the most likely Russian-based hackers to maximize their profits from each successful breach.

GOLD WINTER's Characteristics

The group shows signs of taking deliberate steps to mislead the infosec community and make attribution of the Hades ransomware more difficult. GOLD WINTER often dropped on the compromised systems ransom notes taken from other high-profile ransomware families. In some instances, HADES deployed notes imitating the ones belonging to the REvil family with names such as HOW-TO-DECRYPT-<victim ID>.txt while on other victims the threat dropped an imitation of the Conti Ransomware's note (CONTACT-TO-DECRYPT.txt). 

GOLD WINTER, however, does have some unique traits that set it apart. The group doesn't rely on a centralized leak website were to 'name and shame' its victims. Instead, each compromised organization is directed to a custom-made Tor-based website with a victim-specific Tox chat ID provided for communications. The inclusion of the Tox instant messaging service is a novel approach that is not present in other ransomware operations. In addition, Hades ransomware has not been made available for purchase on underground hacker forums, indicating that the threat is not being offered in a RaaS (Ransomware as a Service) scheme and is instead operated as a private ransomware tool. 

Trending

Most Viewed

Loading...