These two ransomware variants are either new or old REvil & Darkside rebrands. Both are looking for high-profile targets to receive financial gain.

As we’ve mentioned before, it’s not unusual for ransomware groups to repopulate with different aliases. Haron was the first new group to appear this month, and the BlackMatter is the second.

They both claim to be targeting companies with high revenue that can pay ransoms in the millions of dollars.  They’re also using a similar language as DarkSide to spare hospitals, key infrastructure, and nonprofit organizations.

BlackMatter also promised free decryption if its affiliates’ attack methods freeze files at corporations. This is similar to what DarkSide explained on their leak site after their attack on the Colonial Pipeline. 

On July 19, the first Haron malware sample was uploaded to VirusTotal.  S2W, a South Korean security firm, reported about the group three days later in an article that shows similarities between Haron and Avaddon.

Avaddon was another well-known ransomware-as-a-service (RaaS) provider that disappeared following the heightened awareness among law enforcement.  Avaddon released 2,934 decryption keys to BleepingComputer, with each key belonging to a specific victim. According to law enforcement, Avaddon’s average extortion price was over $40,000, meaning the operators and their connections quit and walked away from millions.

S2W Lab wrote on July 22 that when Haron ransomware is installed, “the extension of the encrypted file is changed to the victim’s name.” Haron is like the Avaddon ransomware in which the operators are using a ransom note and running their own leak website. S2W included side-by-side photographs of the two groups’ ransom notes in its post.

blackmatter ransomware ransom notes st. louis mo

There are other similarities between the two ransomware variants including:

  • On the two negotiation sites, there’s more cut-and-paste verbiage
  • The negotiating sites have nearly identical appearances, with the exception the ransomware name “Avaddon” has been replaced with “Haron.”
  • Identical sections of open-source JavaScript code used for talking that was previously posted on a Russian developer forum.
  • The two leak websites use the same structure.

If Harron is Avaddon resurrected, their strategy would include negotiations by scheduling the next data update. Another difference is that we have not seen a triple-threat play from Haron.  A triple-threat attack is when not only is data locally encrypted and exfiltrated before the ransom demand is issued, but uncooperative victims are also threatened with denial-of-service (DDoS) attacks until comply.

Haron’s negotiation time is six days where Avaddon allowed 10 days for negotiation.  S2W Lab explains that Haron is running on the Thanos ransomware.

BlackMatter is the second ransomware strain to recently appear. According to Flashpoint, a risk intelligence firm, BlackMatter opened an account on underground forums XXS and Exploit on July 19 and deposited 4 bitcoins (about $150,000 USD as of Wednesday afternoon) into its Exploit account.

As supposedly old ransomware groups under new names begin reappearing in the threat landscape, keeping current with new threats is very important for your company’s protection. It’s vital to incorporate an advanced security team like SpearTip to continuously monitor your network because an average IT team may not always be equipped or technical enough to deal with these threats.

We can help your company understand where your weak points are located by offering you our pre-breach, advisory services. Our Security Operations Center as a Service (SOCaaS) operates 24/7/365 and provides our clients access to our certified engineers. Threat actors never rest or take a holiday when it comes to targeting your business, so that’s why a 24/7 service is so beneficial.

Our ShadowSpear platform detects threats early and blocks them from accessing your network.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.