BlackMatter & Haron Avaddon New faces

Two new ransomware groups Apeared on July 2021. Or maybe they’re old ones with a new look.

BlackMatter & Haron say target big-game business to pay ransoms in the millions of dollars. The additions come as recent ransomware intrusions of oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya have caused major disruptions and created pressure in Washington to curb the threats.

Haron take Avaddon with A new face.

The first group is calling itself Haron, most of the group’s site on the dark web is password protected by extremely weak credentials. Past the login page, there’s a list of alleged targets, a chat transcript that’s not fit to be shown in full, and the group’s explanation of its mission.

As S2W Lab pointed out, the layout, organization, and appearance of the site are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

The similarity on its own isn’t especially meaningful. It could mean that the creator of the Haron site had a hand in administering the Avaddon site. Or it could be the Haron site creator doing a head fake.

A connection between Haron and Avaddon would be more convincing if there were overlaps or similarities in the code used by the two groups. So far, there are no such links reported.

According to S2W Lab, the engine driving Haron ransomware is Thanos, a separate piece of ransomware that has been around since at least 2019. Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, by contrast, was written in C++.

Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he’d know more soon.

BlackMatter In the shadows of REvil and DarkSide

The second ransomware newcomer is calling itself BlackMatter. Recorded Future, The Record, and security firm Flashpoint, which also covered the emergence of BlackMatter, have questioned if the group has connections to either DarkSide or REvil. Those two ransomware groups suddenly went dark after attacks—against global meat producer JBS and managed network services provider Kaseya in REvil’s case and Colonial Pipeline in the case of DarkSide—generated more attention than the groups wanted. The Justice Department later claimed to have recovered $2.3 million from Colonial’s ransomware payment of $4.4 million.

But once again, the similarities at this point are all cosmetic and include the wording of a pledge, first made by DarkSide, not to target hospitals or critical infrastructure. Given the heat US President Joe Biden is trying to put on his Russian counterpart to crack down on Ransomware groups operating in Eastern Europe, it wouldn't be surprising to see all groups follow DarkSide's lead.

Neither was GroupSense’s Fowler impressed by BlackMatter’s “pinky promise” not to victimize certain business segments. He said it rings particularly hollow “given their rise to prominence as REvil’s standing as the #2 RaaS fades into obscurity.”

Still, to put it all into perspective, while BlackMatter is “the flavor of the day,” Fowler says that other RaaS services, such as Conti, Grief, Hive and LockBit, are “just as big a threat.”