Ο July has brought so far at least two new ransomware groups. Or maybe they are, in fact, old teams that came back with a different name. The two groups target mainly high profile companies and enterprises, as they are more likely to pay huge ransom amounts (amounting to millions of dollars). These two additions to the landscape of threats come after a series of recent ransomware attacks in Colonial pipeline, The JBS and Kaseya, which have caused significant disorders, while at the same time exercising intense pressure in Washington to reduce cyber-threats. But let's look in more detail at the two groups, with the names "Haron" and "BlackMatter".
Haron: Similar team to Avaddon?
A sample of Haron malware was first submitted to VirusTotal, on the 19th of July. Three days later, the South Korean security company S2W Lab referred to the cybercrime gang in a post.
Most of the team site on the dark web is password protected by extremely weak credentials. Once you go to the login page, there is one list of alleged targets, a chat transcript that may not be fully displayed, and the group explanation for sending it.
As S2W Lab pointed out, the layout, organization and appearance of the site are almost identical to those of Avaddon, the ransomware group that stopped its activity in June, after allocating one decryption key on BleepingComputer, which victims could use to retrieve their data.
The similarity of the two groups in itself does not matter much. It could mean that the creator of the Haron site was behind the management of the Avaddon site as well.
A link between Haron and Avaddon would be more likely if there were overlaps or similarities in the code used by the two groups. So far no such connecting links have been reported.
The "engine" of the Haron ransomware, according to the S2W Lab, is Thanos, a distinct ransomware strain that operates in the threat landscape at least since 2019. Haron was developed using one Thanos builder recently published for the programming language C. Instead, Avaddon was written in C ++.
BlackMatter: The "successor" of REvil and DarkSide?
The second ransomware that appeared in July, is called "BlackMatter". Reported, on the 27th of July, from the security company "Recorded Future" and the news site "The Record".
"Recorded Future", "The Record" and the security company "Flashpoint", which also "covered" the appearance of BlackMatter, doubt that the group is affiliated with those of DarkSide and REvil. These two ransomware groups suddenly stopped their "business" after the attacks - against JBS and Kaseya (in the case of REvil) and the Colonial Pipeline (in the case of DarkSide) - having first attracted more attention than , what they wanted. The US Department of Justice (DoJ) later claimed to have recovered $ 2,3 million of the $ 4,4 million owed by the Colonial Pipeline in ransom.