BlackMatter and Haron, two new ransomware gangs in the threat landscape

Pierluigi Paganini July 29, 2021

The cyber threat landscape change continuously, recently two new ransomware-as-service (RaaS) operations named BlackMatter and Haron made the headlines.

Recently, two new ransomware gangs, named BlackMatter and Haron, announced the beginning of the operations.

The Haron malware was first described by the South Korean security firm S2W Lab, three day after a first sample of the ransomware was uploaded to VirusTotal (July 19). Researchers discovered many similarities between the Haron group and the Avaddon operations, including:

  • Similarity of ransom notes;
  • Similarity of negotiation sites;
  • Similarity of the leak sites;

The circumstance suggests that Haron could be the Avaddon reborn.

Avaddon, like other RaaS program have disappeared in June fearing the reaction of the federal authorities to the Colonial Pipeline ransomware attack conducted by DarkSide.

The cybercrime group shut down its operations and provided the decryption keys to BleepingComputer website. The group has also shut down its servers and deleted profiles on hacking forums, they also shut down their leak site.

“Haron ransomware was first discovered in July 2021. When infected with this ransomware, the extension of the encrypted file is changed to the victim’s name. They are using a ransom note and operating their own leak site similar to Avaddon ransomware.” reads the analysis published by S2W LAB on Medium.

However experts noticed that the engines running the two ransomwares were different, Haron was based on the Thanos ransomware, which is a RaaS that has been sold on cybercrime underground since 2019

Anyway, the above similarities are bit enough to demonstrate that Haron operations are the successor of Avaddon.

This week another ransomware gang started its operations, the group BlackMatter, which claims to be the successor of Darkside and REvil groups.

Lile other ransomware operations, BlackMatter also set up its leak sitewhere it will publish data exfiltrated from the victims before encrypting their system.

The birth of the BlackMatter ransomware was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware.

The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies.

“The group boasted about having the ability to encrypt different operating system versions and architectures. This includes the likes of Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (such as Synology, OpenMediaVault, FreeNAS, and TrueNAS).” reported The Record.

BlackMatter forum-post
BlackMatter forum post – Source THE RECORD

Recorded Future researchers believe that there is a link between BlackMatter and the now-defunct Darkside group.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Haron ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment