So far, July has ushered in at least two new groups of ransomware. Or maybe they are old guys who are undergoing a rebranding. Researchers are in the process of analyzing several different theories.
Both groups say they are targeting big targets, that is, corporations or other big companies with the pockets to pay ransoms in the millions of dollars. The additions come as recent ransomware intrusions by pipeline operator Colonial Pipeline, meatpacker JBS SA, and managed network provider Kaseya have caused major disruptions and created pressure in Washington to stem the threats.
Haron: like Avaddon. Or maybe not
The first group calls themselves Haron. A sample of the Haron malware was the first sent to VirusTotal July 19. Three days later, the South Korean security company S2W Laboratory discussed the group in a mail.
Most of the group’s dark web site is password protected by extremely weak credentials. Once past the login page, there is a list of supposed targets, a chat transcript that cannot be displayed in its entirety, and the group’s explanation of their mission.
As S2W Lab pointed out, the site’s design, organization, and appearance are nearly identical to those of Avaddon, the ransomware group that shut down in June after sending a decryption master key to BleepingComputer that victims could use to recover their data.
The similarity alone is not particularly significant. It could mean that the creator of the Haron site was involved in the administration of the Avaddon site. Or it could be the creator of the Haron site doing a headfake.
A connection between Haron and Avaddon would be more compelling if there were overlaps or similarities in the code used by the two groups. So far no such links have been reported.
The engine that powers the Haron ransomware, according to S2W Lab, is Thanos, a separate piece of ransomware that has been around since at least 2019. Haron was developed using a Thanos Builder for the C # programming language. Avaddon, by contrast, was written in C ++.
Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he saw what appear to be similarities to Avaddon in a couple of samples that he recently began testing. He said he would know more soon.
In the shadows of REvil and DarkSide
Recorded Future, The Record, and security firm Flashpoint, which also covered the appearance of BlackMatter, have questioned whether the group has connections to DarkSide or REvil. Those two groups of ransomware suddenly shut down after the attacks – against global meat producer JBS and managed network service provider Kaseya in the case of REvil and Colonial Pipeline in the case of DarkSide – generated more attention than they wanted the groups. Later, the Justice Department claimed to have recovered $ 2.3 million from Colonial’s ransomware payment of $ 4.4 million.
But again, the similarities at this point are all cosmetic and include the wording of a promise, first made by DarkSide, not to target hospitals or critical infrastructure. Given the heat that US President Joe Biden is trying to impose on his Russian counterpart to crack down on ransomware groups operating in Eastern Europe, it would not be surprising to see all groups follow DarkSide’s lead.
None of this is to say that the speculation is wrong, only that at this point there is little more than supportive hunches.