{
	"id": "8e82c9b8-0576-46e5-8c5a-7b4ef840bc9a",
	"created_at": "2026-04-06T00:17:09.391118Z",
	"updated_at": "2026-04-10T03:30:32.867164Z",
	"deleted_at": null,
	"sha1_hash": "e938dd103ac39e438d5df16a438815a1b6330989",
	"title": "BlackMatter \u0026 Haron: Evil Ransomware Newborns or Rebirths",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 705677,
	"plain_text": "BlackMatter \u0026 Haron: Evil Ransomware Newborns or Rebirths\r\nBy Lisa Vaas\r\nPublished: 2021-07-28 · Archived: 2026-04-05 20:00:39 UTC\r\nThey’re either new or old REvil \u0026 DarkSide wine in new bottles. Both have a taste for deep-pocketed targets and\r\nDarkSide-esque virtue-signaling.\r\nSo much for darkened servers at the headquarters of DarkSide or REvil ransomware groups. Turns out, we’ve got\r\neither their rebranded versions or two new ransomware gangs  to contend with.\r\nThe first new group to appear this month was Haron, and the second is named BlackMatter. As Ars Technica‘s\r\nDan Goodin points out, there may be more still out there.\r\nThey’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars.\r\nThey’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure,\r\nnonprofits, etc.\r\nBlackMatter also promised free decryption if its affiliates screw up and kill kittens or freeze files at, say, pipeline\r\ncompanies, as happened when Colonial Pipeline was attacked by DarkSide in May.\r\nHaron \u0026 Its Cut-and-Paste Ransom Note\r\nThe first sample of the Haron malware was submitted to VirusTotal on July 19. Three days later, the South Korean\r\nsecurity firm S2W Lab reported on the group in a post that laid out similarities between Haron and Avaddon.\r\nAvaddon is yet another prolific ransomware-as-a-service (RaaS) provider that evaporated in June rather than face\r\nthe legal heat that followed Colonial Pipeline and other big ransomware attacks. At the time, Avaddon released its\r\ndecryption keys to BleepingComputer – 2,934 in total – with each key belonging to an individual victim.\r\nAccording to law enforcement, the average extortion fee Avaddon demanded was about $40,000, meaning the\r\nransomware operators and their affiliates quit and walked away from millions.\r\nOr Did They?\r\nIn its July 22 post, S2W Lab said that when infected with Haron ransomware, “the extension of the encrypted file\r\nis changed to the victim’s name.” Haron is also similar to Avaddon ransomware in that its operators are using a\r\nransom note and operating their own leak site. In its post, S2W provided side-by-side images of ransom notes\r\nfrom the two gangs.\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 1 of 7\n\nAs you can see below, the two ransom notes read like a cut-and-paste job. S2W Lab noted that the main difference\r\nis that Haron suggests a specific ID and Password for victims to log in to the negotiation site.\r\nRansom notes from Avaddon and Haron. Source: S2W Lab.\r\nThere are loads of other similarities between Haron and Avaddon, including:\r\nYet more cut-and-paste verbiage on the two negotiation sites.\r\nNearly identical appearances of the negotiation sites, besides the ransomware name of “Avaddon” being\r\nswapped for “Haron.”\r\nIdentical chunks of open-source JavaScript code used for chat that was previously published on a Russian\r\ndeveloper forum.\r\nThe two leak sites share the same structure.\r\nIf Haron is Avaddon reborn, the new bottles for the old wine include a strategy to induce negotiations by setting a\r\ntime for the next data update. Another difference: no triple-threat play to be seen from Haron, at least not yet. In\r\ntriple-threat attacks, not only is data encrypted locally and exfiltrated before the ransom demand is made, but\r\nrecalcitrant victims are also subjected to threats of distributed denial-of-service (DDoS) attack until they yield.\r\nAlso, Haron has shrunk the negotiation time to six days, whereas Avaddon allotted 10 days for negotiation.\r\nAnother difference is in the engines running the two ransomwares: S2W Lab said that Haron is running on the\r\nThanos ransomware – a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS), that’s\r\nbeen sold since 2019 – whereas Avaddon was written in C++.\r\nNone of the similarities are solid proof of Avaddon having risen from the ashes like a ransomware phoenix: They\r\ncould simply point to one or more threat actors from Avaddon working on a reboot, or they could point to nothing\r\nat all.\r\n“It is difficult to conclude that Haron is a re-emergence of Avaddon based on our analysis,” according to S2W’s\r\nwriteup, which pointed out that “Avaddon developed and used their own C++ based ransomware,” whereas the\r\npublicly available Thanos ransomware that Haron is using is baked on C#.\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 2 of 7\n\nSentinelOne’s Jim Walter told Ars that he’s seen what look like similarities between Avaddon and Haron samples,\r\nbut he’ll know more soon.\r\nAs of July 22, Haron’s leak site had only disclosed one victim.\r\nBlackMatter\r\nThe second ransomware newbie calls itself BlackMatter. News about the new network was reported on Tuesday\r\nby security firm Recorded Future – which labeled it a successor to DarkSide and REvil – and by its news arm, The\r\nRecord. Risk intelligence firm Flashpoint also spotted the newcomer, noting that BlackMatter registered an\r\naccount on the Russian-language underground forums XSS and Exploit on July 19 and deposited 4 bitcoins\r\n(approximately $150,000 USD as of Wednesday afternoon) into its Expoit escrow account.\r\nBoth of those forums banned ransomware discussion in May, following DarkSide’s attack on Colonial Pipeline. In\r\nthe wake of that catastrophic shutdown, which sparked gas hoarding along the East coast and an emergency order\r\nfrom the federal government, REvil instituted pre-moderation for its partner network, saying that it would ban any\r\nattempt to attack any government, public, educational or healthcare organizations.\r\nReferring to DarkSide’s experience, REvil’s backers said that the group was “forced to introduce” these\r\n“significant new restrictions,” promising that affiliates that violated the new rules would be kicked out and that it\r\nwould give out decryption tools for free.\r\nFlashpoint noted that the large deposit on the Exploit forum shows that BlackMatter is serious.\r\nOn July 21, the threat actor said that the network is looking to buy access to affected networks in the U.S.,\r\nCanada, Australia, and the UK, presumably for ransomware operations. It’s offering up to $100,000 for network\r\naccess, as well as a cut of the ransom take.\r\nPutting Up Big Money for Big Fish\r\nBlackMatter is putting up big money because it’s after big fish. The group said that it was looking for deep-pocketed organizations with revenues of more than $100 million: the size of organizations that could be expected\r\nto pay big ransoms. The threat actor is also requiring that targets have 500-15,000 hosts in their networks. It’s also\r\nup for all industries, except for healthcare and governments.\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 3 of 7\n\nBlackMatter ad on the Exploit underground forum. Source: Recorded Future.\r\n‘We Are Ethical Blood Suckers’\r\nThat’s where the virtual signaling comes in. The Record reports that BlackMatter’s leak site is currently empty,\r\nwhich means that BlackMatter only launched this week and hasn’t yet carried out any network penetrations.\r\nWhen it does go after victims, the list won’t include a roster of target types that is currently, supposedly, taboo to\r\ntarget. A section of BlackMatter’s leak site lists the type of targets that are off-limits, including:\r\nHospitals\r\nCritical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)\r\nOil and gas industry (pipelines, oil refineries)\r\nDefense industry\r\nNon-profit companies\r\nGovernment sector\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 4 of 7\n\nSound familiar? That’s because it’s a dead ringer for a list formerly provided on the leak site of the DarkSide gang\r\nbefore it supposedly went belly-up following the Colonial attack. Promises not to attack these types of\r\norganizations aren’t always adhered to by these gangs’ affiliates, but BlackMatter has promised that if victims\r\nfrom those industries are attacked, the operators will decrypt their data for free.\r\nBuying Legitimacy\r\nMike Fowler, vice president of intelligence services at GroupSense – a firm that offers threat intelligence and\r\nransom negotiation – has been keeping an eye on BlackMatter. He told Threatpost on Wednesday that lately,\r\nthere’s been an evolution in tactics, techniques and processes (TTP) used by emerging RaaS cartels such as Hive,\r\nGrief and, most recently, BlackMatter: an evolution reminiscent of the 2020 shift to double extortion pioneered by\r\nMaze.\r\n“GroupSense has witnessed an expected jockeying for position and brand awareness within the RaaS cartels,”\r\nFowler said in an email. “This was clearly evidenced by BlackMatter’s account registration on the top two\r\ncybercrime forums. Their deposit of 4 Bitcoins into their escrow account on the largest Russian cybercrime forum,\r\nExploit, is clearly an attempt to purchase legitimacy.”\r\nCareful Victim Targeting\r\nDigital Shadows’ Sean Nikkel told Threatpost on Wednesday that the careful selection of big companies reflects\r\nthe increasing number of threat actors that are “doing their due diligence” when it comes to selecting victims.\r\n“We’ve seen time and again when they have some knowledge around key personalities within an organization,\r\nrevenue, size, and even customers, so the idea of big game hunting seems to be in line with observed ransomware\r\ntrends,” Nikkel said via email.\r\nHe called the virtue signaling and promise to do right by the exempted industries an “interesting twist.”\r\n“While REvil had publicly stated that everything was fair game previously, maybe this cooling-off period from\r\nprevious attention has forced a change of heart, if it is indeed them coming back,” Nikkel added.\r\n“Interesting” is one way to frame it. Another way to look at it is as squeaking from blood-sucking parasites, as a\r\ncommenter on Ars’ coverage suggested:\r\nNeither was GroupSense’s Fowler impressed by BlackMatter’s “pinky promise” not to victimize certain business\r\nsegments. He said it rings particularly hollow “given their rise to prominence as REvil’s standing as the #2 RaaS\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 5 of 7\n\nfades into obscurity.”\r\nStill, to put it all into perspective, while BlackMatter is “the flavor of the day,” Fowler says that other RaaS\r\nservices, such as Conti, Grief, Hive and LockBit, are “just as big a threat.”\r\nRansomware Phoenixes or New Ratbags? Time Will Tell\r\nDirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost on\r\nWednesday that anybody who didn’t see REvil or DarkSide re-emerging might not have their head screwed on\r\nright. There’s a “good chance” that REvil decided proactively “to take down everything and to re-emerge, just to\r\nmake tracking and tracing even more difficult,” he added in an email.\r\nMeanwhile, whatever sabre-rattling the Biden administration has been doing at Russia or China about kinetic\r\nresponses and hack-backs won’t change the situation, Schrader predicted. As it is, the threat actors are refining\r\ntheir approaches to look at targets that have “a higher motivation” to pay ransom, cases in point being Kaseya and\r\nSolarWinds.\r\n“Ransomware groups will continue to look for attack vectors that are likely to have a higher motivation for\r\npayment, and that is the next evolution in this business,” Schrader said via email. “We already see the early\r\neffects. Kaseya, SolarWinds, tools that promise access to high-value assets, where an organization’s revenue\r\nstream and reputation depends on.”\r\nSchrader thinks that VMware’s recently added capability of encrypting EXSi servers is “a harbinger of what will\r\ncome,” pointing to CISA’s recent alert about the top routinely exploited vulnerabilities, which included a warning\r\nabout CVE-2021-21985: the critical remote code execution (RCE) vulnerability in VMware vCenter Server and\r\nVMware Cloud Foundation.\r\n“In essence, not paying a ransom is the only angle that will – over time – eradicate ransomware,” Schrader said.\r\n“And to be positioned for that, companies will have to minimize and protect their attack surface, harden their\r\nsystems and infrastructure, manage existing accounts properly and delete old ones, patch vulnerabilities according\r\nto risks, and be able to operate in a cyber-resilient manner when under attack.”\r\nWhere’s the MBA Coursework About Ransomware?\r\nGroupSense’s Fowler said that the focus has to be on prevention and mitigation before ransomware is deployed.\r\nBut what about after? “Ransomware attacks are a cyber issue up to the point that the ransomware is executed,” he\r\npointed out. “Then it becomes a business issue, and this presents business considerations and continuity hurdles\r\nnot part of the curriculum on any MBA course I’m familiar with currently.”\r\n072821 16:28 UPDATE: Added input from Mike Fowler.\r\nWorried about where the next attack is coming from? We’ve got your back.\r\nREGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with\r\nUptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 6 of 7\n\nfirst. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11 AM EST\r\nfor this LIVE discussion.\r\nSource: https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nhttps://threatpost.com/ransomware-gangs-haron-blackmatter/168212/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/"
	],
	"report_names": [
		"168212"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434629,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e938dd103ac39e438d5df16a438815a1b6330989.pdf",
		"text": "https://archive.orkl.eu/e938dd103ac39e438d5df16a438815a1b6330989.txt",
		"img": "https://archive.orkl.eu/e938dd103ac39e438d5df16a438815a1b6330989.jpg"
	}
}