GOLD WINTER

GOLD WINTER was the threat group designation used by CTU researchers to characterize Hades post-intrusion ransomware incidents that occurred between December 2020 and around March 2021. Hades was operated as a private-use ransomware and the threat actors used name-and-shame tactics as additional leverage over victims. Unlike many other ransomware groups, rather than use a central public leak site the Hades operators used Tor sites customized for each victim that included a Tox chat ID for communication, which also appeared to be unique for each victim.

Based on subsequent detailed analysis of the Hades ransomware, in August 2021 CTU researchers assessed with moderate confidence that Hades, as well as the related Phoenix CryptoLocker and Payload.Bin variants, were derived from the WastedLocker source code and were operated by GOLD DRAKE. The working hypothesis is that GOLD DRAKE has abandoned use of Dridex and is periodically changing ransomware to make attribution of their activities more difficult, to reduce the likelihood that victims will realise that they are paying GOLD DRAKE (also known as Evil Corp) and therefore might be in violation of U.S. Treasury rules on ransom payments to sanctioned entities. CTU researchers attribute post-intrusion ransomware attacks involving Hades and its derivatives to GOLD DRAKE, rather than the (now retired) GOLD WINTER threat group.

CTU researchers observed Hades post-intrusion ransomware attacks using two distinct initial access vectors: SocGholish malware disguised as a fake Chrome update, and single-factor authentication VPN access. Post-exploitation tools included extensive use of Cobalt Strike as well as Mimikatz, Advanced Port Scanner, PsExec, Metasploit, MSBuild, batch scripts to repeatedly stop services and clear event logs, and MEGASync for data exfiltration. RDP and reverse SOCKS proxies were also used to maintain access to victims' environments. Observed command and control infrastructure tended to use Selectel-hosted IP space, with domains registered with the REG.RU registrar.