Cyber Threat Actor: Hades
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
Hades is a ransomware threat actor identified through its public claims of attacks against corporate entities. The group operates under this singular alias based on available reporting. Its activities center on financially motivated cyber extortion, leveraging encryption and data theft to pressure victims into paying ransoms. Public evidence does not indicate espionage or disruptive geopolitical objectives beyond monetary gain from targeted organizations.
The group has demonstrated a specific focus on the transportation sector, as evidenced by its confirmed attack against trucking and logistics firm Forward Air in December 2020. This operation disrupted critical business functions by forcing systems offline, specifically impairing customs documentation processing and public-facing web services. Hades employs ransomware payloads coupled with data exfiltration, threatening to release stolen information unless payment is made. Communication with victims occurs through anonymized channels, including Tor-based leak sites and the Tox instant messaging platform, consistent with typical ransomware group tradecraft. No malware families beyond their namesake ransomware variant are publicly documented in confirmed attacks.
Forward Air represents the most comprehensively reported Hades operation to date. The attack prompted the company to involve federal law enforcement and third-party cybersecurity responders for system restoration and forensic analysis. While the ransom demand specifics remain undisclosed, the incident highlights the actor's execution of double-extortion tactics—combining system encryption with threats to publish sensitive data. This single confirmed campaign provides the sole basis for understanding Hades' targeting preferences and operational methods, as no other publicly attributable incidents exist in verifiable sources. The group's infrastructure choices and ransom negotiation processes align with established criminal ransomware practices rather than suggesting unique technical capabilities.
