Haron and BlackMatter are the most recent teams to convey down the ransomware get together


Getty Images

July has introduced at least two new groups of ransomware so far. Or maybe it’s old ones that are being rebranded. Researchers are about to shut down various theories.

Both groups say they are targeting big game targets, i.e. corporations or other large corporations that have the pockets to pay millions in ransom. The additions come because recent ransomware break-ins by oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya caused major disruptions and put pressure on Washington to contain the threats.

Haron: like Avaddon. Or maybe not

The first group is called Haron. A sample of the Haron malware was first submitted to VirusTotal on July 19. Three days later, the South Korean security company S2W Lab discussed the group in a post.

Most of the group’s websites on the dark web are password-protected by extremely weak access data. After the login page there is a list of the alleged targets, a chat transcript that cannot be fully viewed, and the group’s explanation of their mission.

  • If you enter a correct password, you will end up in the middle of the chat.

  • A page titled “What’s up?”

  • A page with a list of victims.

As S2W Lab pointed out, the site’s layout, organization, and appearance are almost identical to those of Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims use to mine Recover data.

  • The leaks next to each other.

  • Another comparison of leaks.

  • Negotiating side by side.

  • Another comparison of the negotiation side.

  • One more.

The similarity alone is not particularly meaningful. It could mean that the creator of the Haron site was involved in the administration of the Avaddon site. Or it could be the haron site creator doing a headfake.


A connection between Haron and Avaddon would be more convincing if there were overlaps or similarities in the code of the two groups. No such links have been reported so far.

The engine behind the Haron ransomware is, according to S2W Lab Thanos, a separate ransomware that has been around since at least 2019. Haron was developed using a recently released Thanos builder for the C # programming language. Avaddon, on the other hand, was written in C ++.

Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he apparently found similarities to Avaddon in some samples he recently began analyzing. He said he would know more soon.

In the shadow of REvil and DarkSide

The second newcomer to ransomware is called BlackMatter. This was reported on Tuesday by the security firm Recorded Future and its news arm The Record.

Recorded Future, The Record and security firm Flashpoint, which also covered the creation of BlackMatter, have questioned whether the group has any ties to DarkSide or REvil. These two ransomware groups suddenly went dark after attacks – against global meat producer JBS and managed network services provider Kaseya in the case of REvil and Colonial Pipeline in the case of DarkSide – attracted more attention than the groups wanted. The Justice Department later claimed it withdrew $ 2.3 million from Colonial’s $ 4.4 million ransomware payment.

But here, too, the similarities at this point are all cosmetic in nature and include the wording of a promise first made by DarkSide not to target hospitals or critical infrastructures. Given the heat US President Joe Biden is trying to incite his Russian counterpart to crack down on ransomware groups operating in Eastern Europe, it would not be surprising that all groups are following DarkSide’s lead.

None of this is to say that the speculation is wrong, just that there is little more than a hint of support right now.