Inactive ransomware operator
← All groupsHades
1 victims indexed · first seen 5 years ago · last activity 5 years ago
1
Victims indexed
#309 of 348 tracked operators
<1m
Active period
Dec 2020 → Dec 2020
1
Countries hit
top United States · 1
At a glance
- Status
- inactive
- First seen
- 5 years ago
- Last activity
- 5 years ago
- Onion sites
- 1 known endpoint
- Primary sector
- Transportation Systems · 1 hits
About
Hades is a ransomware group that emerged in December 2020, operating as a financially-motivated cybercriminal organization targeting critical infrastructure sectors. The group's origin and specific affiliations remain largely undocumented in public threat intelligence reporting, though their operational patterns suggest they operate independently rather than as a ransomware-as-a-service model. Limited public documentation exists regarding Hades' specific attack methodology, though like most modern ransomware operators, they likely employ common initial access vectors such as phishing, remote desktop protocol exploitation, or supply chain compromises to gain network access before deploying their encryption payloads. The group has maintained a relatively low profile compared to other ransomware families, with only one publicly documented victim in the transportation systems sector within the United States, suggesting either highly targeted operations or limited operational scope. Current intelligence indicates minimal recent activity from the Hades group, though the lack of extensive public reporting makes it difficult to definitively assess whether the group remains active, has rebranded under a different name, or has ceased operations entirely.
References
18 linksExternal sources curated by the MISP threat-intel community.
- secureworks.com/research/threat-profiles/gold-winter
- assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp
- awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/
- blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
- docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
- killingthebear.jorgetesta.tech/actors/evil-corp
- symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
- twitter.com/inversecos/status/1381477874046169089?s=20
- accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware
- accenture.com/us-en/blogs/security/ransomware-hades
- advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
- bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/
- crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
- huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
- mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
- sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf
- ransomlook.io/group/hades
Timeline
1 months2020-12-01T00:00:00+00:002020-12-01T00:00:00+00:00
Top countries
🇺🇸 United States
1
Top sectors
Transportation Systems
1
MITRE ATT&CK
3 techniques · 3 tacticsTactics
Initial AccessExecutionImpact
Recent victims
Loading…
Onion infrastructure
1 known- http://ixltdyumdlthrtgx.onion
Source
Updated 5 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.