BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More


Cybersecurity researchers from South Korean security firm S2W Labs have unearthed two new ransomware groups. A sample of the first group of malware — which is identifying itself as 'Haron', was first submitted to VirusTotal on July 19. 

According to S2W Lab, the layout, organization, and tactics used by Haron are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

Both groups are targeting high-profile organizations in order to maximize their profits. Haron also runs a “leak site” where it threatens to publish data stolen from companies who refuse to pay for decrypting their files. According to S2W Lab, the engine driving Haron ransomware is Thanos, a separate piece of ransomware that has been around since at least 2019.

Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, on the other hand, was written in C++. Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he would know more soon. 

The second ransomware newcomer goes by the name 'BlackMatter'. According to Flashpoint, BlackMatter threat actors registered an account on the Russian forums XSS and Exploit on July 19 and immediately followed up to an infected corporate network consisting of 500 to 15,000 hosts. He said he was trying to buy access. With annual revenues of over $100 million in the United States, Canada, Australia, and the United Kingdom, it may indicate the operation of large-scale ransomware.

“Actors have deposited 4 BTC (about US $ 150,000) into their escrow accounts, which shows the seriousness of threat actors when they deposit large amounts in forums. Black Matter does not openly state that they are ransomware collective operators. The language and goals of their posts clearly indicate that they are ransomware collective operators. But technically it doesn’t violate the rules of the forum,” FlashPoint researchers said in the report. 

The emergence of BlackMatter coincides with the disappearance of DarkSide and REvil in the wake of highly publicized incidents of Colonial Pipeline, JBS, and Kaseya — raising speculations that the groups may eventually rebrand and resurface under a new identity.