[BreachExchange] Haron and BlackMatter are the latest groups to crash the ransomware party

Wed Jul 28 11:45:01 EDT 2021

https://arstechnica.com/gadgets/2021/07/july-has-already-brought-us-2-new-ransomware-groups-hunting-for-big-game/

July has so far ushered in at least two new ransomware groups. Or maybe
they’re old ones undergoing a rebranding. Researchers are in the process of
running down several different theories.

Both groups say they are aiming for big-game targets, meaning corporations
or other large businesses with the pockets to pay ransoms in the millions
of dollars. The additions come as recent ransomware intrusions of oil
pipeline operator Colonial Pipeline, meat packer JBS SA, and managed
network provider Kaseya have caused major disruptions and created pressure
in Washington to curb the threats.

Haron: like Avaddon. Or maybe not

The first group is calling itself Haron. A sample of the Haron malware was
first submitted to VirusTotal on July 19. Three days later, South Korean
security firm S2W Lab discussed the group in a post.

Most of the group’s site on the dark web is password protected by extremely
weak credentials. Once past the login page, there’s a list of alleged
targets, a chat transcript that’s not fit to be shown in full, and the
group’s explanation of its mission.

As S2W Lab pointed out, the layout, organization, and appearance of the
site are almost identical to those for Avaddon, the ransomware group that
went dark in June after sending a master decryption key to BleepingComputer
that victims could use to recover their data.

The similarity on its own isn’t especially meaningful. It could mean that
the creator of the Haron site had a hand in administering the Avaddon site.
Or it could be the Haron site creator doing a headfake.

A connection between Haron and Avaddon would be more convincing if there
were overlaps or similarities in the code used by the two groups. So far
there are no such links reported.

The engine driving Haron ransomware, according to S2W Lab, is Thanos, a
separate piece of ransomware that has been around since at least 2019.
Haron was developed using a recently published Thanos builder for the C#
programming language. Avaddon, by contrast, was written in C++.

Jim Walter, a senior threat researcher at security firm SentinelOne, said
in a text message that he spotted what appear to be similarities with
Avaddon in a couple of samples he recently started analyzing. He said he’d
know more soon.

In the shadows of REvil and DarkSide

The second ransomware newcomer is calling itself BlackMatter. It was
reported on Tuesday by security firm Recorded Future and its news arm The
Record.

Recorded Future, The Record, and security firm Flashpoint, which also
covered the emergence of BlackMatter, have questioned if the group has
connections to either DarkSide or REvil. Those two ransomware groups
suddenly went dark after attacks—against global meat producer JBS and
managed network services provider Kaseya in REvil’s case and Colonial
Pipeline in the case of DarkSide—generated more attention than the groups
wanted. The Justice Department later claimed to have recovered $2.3 million
from Colonial’s ransomware payment of $4.4 million.

But once again, the similarities at this point are all cosmetic and include
the wording of a pledge, first made by DarkSide, not to target hospitals or
critical infrastructure. Given the heat US President Joe Biden is trying to
put on his Russian counterpart to crack down on Ransomware groups operating
in Eastern Europe, it wouldn't be surprising to see all groups follow
DarkSide's lead.

None of this is to say that the speculation is wrong, only that at the
moment there’s little more than hunches for support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210728/e93b90a7/attachment.html>