Haron and BlackMatter – New Players or Well-Forgotten Cyber Gangs?

blackmatter ransomware malwareA couple of new cybercriminal groups have appeared on the horizon recently. Dubbed BlackMatter and Haron, respectively, they've been around short enough to look still shrouded in mystery, and long enough to hint at security researchers about possible connections to older players such as DarkSide,  REvil or Avaddon.

Pointing at Similar Targets

It is too early to make a firm conclusion whether the two new gangs are the good old crooks with a fresh coat of paint. However, one thing looks as clear as daylight – both groups aim for rich government and non-government organizations – entities that would have no problem splashing out millions of dollars on ransom payments potentially, were there to fall under a ransomware attack. However, that's by far not the only common feature present in both, Haron and BlackMatter, on one hand, and DarkSide and REvil on the other. For a start, there are striking similarities in their code and ransom note.

Other Common Features…

A glance at Haron's ransom note suggests that the latter may have done some heavy borrowing from Avaddon – a recent Ransomware-as-a-Service (RaaS) group that used to extort an average of $40 thousand per victim, before disappearing into thin air last month suddenly. Before disbanding, the Avadon cyber gang had hit as many as 2,934 targets reportedly, if the number of their recently released decryption keys is anything to go by. That both bands share the same portions of JS code here and there also is hardly surprising.

Not So Common Features

Even though Haron’s and Avaddon’s notes look identical when compared side by side, there’s a notable difference when it comes to the name pattern applied upon file encryption. As it is, Haron tailors each extension to the name of each infected party. Moreover, the C#-based Haron would not unleash a wave of Distributed Denial-of-Service (DDoS) attacks upon its non-paying targets. At the same time, the C++ compiled Avaddon has often engaged in such triple-threat plays before. Last but not least, Haron's victims have six days to pay the ransom, unlike Avaddon’s considerably longer 10-day deadline.

BlackMatter – A Descendant of REvil and DarkSide?

BlackMatter is a new malware player that pledges to attack any entities (except for healthcare, government and critical infrastructure organizations) whose annual revenue exceeds $100 million and whose networks have between 500 and 15,000 hosts. The crooks behind BlackMatter are reportedly ready to part ways with hundreds of thousands of dollars to get their way to flawed networks on either side of the Atlantic, as well.  BlackMatter’s mission not to hit pipelines, power plants, NGOs, hospitals, water treatment facilities, and other critical infrastructure objects implies that the actors in charge are determined not to repeat the Colonial pipeline debacle. That move also suggests that they have adopted a selective approach when drawing up the list of potential targets – in line with the newest ransomware trends.

Still Early for a Definitive Verdict

Although newcomers Haron and BlackMatter appear to bear considerable resemblance to older gangs like REVil, DarkSide and Avaddon, security researchers have yet to gather enough evidence to spot a direct connection. The former may become refined versions of the latter or maybe entirely new gangs – subject to additional analyses and investigations.