Haron and BlackMatter are the latest groups to crash the ransomware party

July has up to now ushered in at the very least two new ransomware teams. Or possibly they’re outdated ones present process a rebranding. Researchers are within the means of operating down a number of completely different theories.

Each teams say they’re aiming for big-game targets, that means companies or different massive companies with the pockets to pay ransoms within the tens of millions of {dollars}. The additions come as latest ransomware intrusions of oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya have induced main disruptions and created strain in Washington to curb the threats.

Haron: like Avaddon. Or possibly not

The primary group is asking itself Haron. A pattern of the Haron malware was first submitted to VirusTotal on July 19. Three days later, South Korean safety agency S2W Lab mentioned the group in a post.

A lot of the group’s web site on the darkish net is password protected by extraordinarily weak credentials. As soon as previous the login web page, there’s a listing of alleged targets, a chat transcript that’s not match to be proven in full, and the group’s rationalization of its mission.

As S2W Lab identified, the format, group, and look of the positioning are virtually similar to these for Avaddon, the ransomware group that went darkish in June after sending a grasp decryption key to BleepingComputer that victims might use to get better their knowledge.

The similarity by itself isn’t particularly significant. It might imply that the creator of the Haron web site had a hand in administering the Avaddon web site. Or it could possibly be the Haron web site creator doing a headfake.

A connection between Haron and Avaddon could be extra convincing if there have been overlaps or similarities within the code utilized by the 2 teams. To this point there are not any such hyperlinks reported.

The engine driving Haron ransomware, based on S2W Lab, is Thanos, a separate piece of ransomware that has been round since at the very least 2019. Haron was developed utilizing a just lately revealed Thanos builder for the C# programming language. Avaddon, in contrast, was written in C++.

Jim Walter, a senior menace researcher at safety agency SentinelOne, stated in a textual content message that he noticed what seem like similarities with Avaddon in a few samples he just lately began analyzing. He stated he’d know extra quickly.

Within the shadows of REvil and DarkSide

The second ransomware newcomer is asking itself BlackMatter. It was reported on Tuesday by safety agency Recorded Future and its information arm The Record.

Recorded Future, The Document, and safety agency Flashpoint, which additionally covered the emergence of BlackMatter, have questioned if the group has connections to both DarkSide or REvil. These two ransomware teams immediately went darkish after assaults—in opposition to global meat producer JBS and managed network services provider Kaseya in REvil’s case and Colonial Pipeline within the case of DarkSide—generated extra consideration than the teams needed. The Justice Division later claimed to have recovered $2.3 million from Colonial’s ransomware fee of $4.4 million.

However as soon as once more, the similarities at this level are all beauty and embody the wording of a pledge, first made by DarkSide, to not goal hospitals or crucial infrastructure. Given the warmth US President Joe Biden is making an attempt to placed on his Russian counterpart to crack down on Ransomware teams working in Jap Europe, it would not be shocking to see all teams comply with DarkSide’s lead.

None of that is to say that the hypothesis is unsuitable, solely that in the meanwhile there’s little greater than hunches for help.