SentinelOne VS Hades Ransomware – Prevention

Hades is sometimes referred to as Phoenix Locker. Hades and Phoenix, in this context, are considered to be the same threat.
Hades is believed to be developed by the Evil Corp group and is related to Payload.bin and WastedLocker.
Prolific threat actors have launched many Hades ransomware campaigns against high-value targets since at least December 2020.
Operators behind Hades are often hands-on with delivering and managing the malware within their targets.
Like other popular ransomware families, Hades will attempt to disable or otherwise compromise any system recovery options and Volume Shadow Copy deletion.
Actors behind these campaigns have leveraged RDP and VPN flaws or stolen credentials to launch their attacks. However, these are not the only possible options.
Hades is a 64-bit compiled version of WastedLocker that displays important code and functionality overlaps. In March 2021, a new variant called ‘Phoenix Locker’ appeared in the wild. Analysis suggests this is a rebranded version of Hades with little to no changes.

Hades employs a UAC bypass taken from the UCME product. Unlike other Evil Corp outputs, Hades does not use Alternate Data Streams (ADS) during its execution. In addition, Hades stores key information in each encrypted file, while WastedLocker and Bitpaymer store key information inside a ransom note.