preloader

Attack, Deconstructed: Hades Ransomeware

Hades ransomware was discovered in a targeted attack across businesses and has been linked by many to the Hafnium group, a state-backed group of hackers.

Classic Hades ransomware attacks include important files being encrypted and seeing 5 characters at the end of the affected file names, for instance “.cm99v” or “.dvxr9.” Hades ransomware attacks also include ransom notes titled, “HOW-DECRYPT- [appended_extension].txt” with demands and instructions, as shown below:

To retrieve lost files and information, the Hades hacking group demands ransom money and very specific instructions. However, it’s important to take a breath and think clearly before taking any action.

Before we cover what you should do if you experience this attack, let’s ensure you’re protected.

Are you Protected?

If you are a Carbon Black or Crowdstrike user, you are protected as this is an out-of the-box feature.

Carbon Black users: you can investigate this ransomware attack by running the following query: ((process_name:attrib.exe)) -enriched:true

If you are not, you might need to blacklist the File IDs below. That depends on the antivirus and other software you use.

If you’re not sure you are protected, feel free to reach out, and we can help you determine if your software has the right capabilities against this ransomware hack.

FILE ID

HASH TYPE

e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0

SHA256

7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd

SHA256

b081f95a66befa3e74b31664b2af723f17af1edb76c6e6da69c52ca0adf377fb

SHA256

ab99a5767c1d598c49b1f5d615a76302

MD5

be4c5e4713009e5446ee042ba7c33fe0

MD5

a1bb903539f4d0752d3d2f2a7e759ea6

MD5

b4061d4227e08cfaa3190dea9926571fca2736a1

SHA1

f8e52380b6f3668d4de6df416c8da389c0d98fe8

SHA1

29b6cecc4547afff9cca196892cd6c46160fea34

SHA1

How can you determine if you've been a victim of this attack?

You will not be able to access important documents as they will be encrypted and have the 5 digit extension on the file name.

To check if you’ve been affected by a Hades ransomware attack, simply search your system for the file extensions: “.cm99v” and “.dvxr9”.

If you find a Hades ransomware file in your system, it's important to take a moment and proceed carefully.

Steps you should take if you have been hacked:

  1. Isolate the infected device. If you don’t know how to do this, contact an expert ASAP.
  2. Immediately reach out to an expert as who can help you identify the infection, search for decryption tools, restore files and create backups to minimize the breach and loss.
  3. Report the ransomware to authorities.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

Understanding UBA (IBM QRadar)

We recently held an exclusive roundtable at IBM's Israel HQ...

COMING SOON: Vulnerability Management - Carbon Black Cloud

In today’s threat landscape, security teams are facing an influx...

Carbon Black App Control Vulnerability

Impacted Products This vulnerability affects versions 8.0, 8.1, 8.5, and...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s


    linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram