They’re either new or old REvil & Dark Side ‘wine in new bottles’. Both have a liking for rich targets & Dark Side-esque virtue-signalling.
The 1st new group to appear this month was Haron, & the 2nd is named Black Matter. As Ars Technica‘s Dan Goodin points out, ‘there may be more still out there.’
Focused on Targets
They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signalling from Dark Side, with similar language about sparing hospitals, critical infrastructure, non-profits, etc.
Black Matter also promised free decryption if its affiliates fail & kill kittens or freeze files at, say, pipeline companies, as happened when Colonial Pipeline was attacked by Dark Side in May.
Haron & Its Cut-&-Paste Ransom Note
The 1st sample of the Haron malware was submitted to Virus Total on July 19. 3 days later, the S. Korean security firm S2W Lab reported on the group in a post that laid out similarities between Haron & Avaddon.
Avaddon is yet another prolific ransomware-as-a-service (RaaS) provider that evaporated in June rather than face the legal heat that followed Colonial Pipeline & other big ransomware attacks.
At the time, Avaddon released its decryption keys to Bleeping Computer – 2,934 in total – with each key belonging to an individual victim. According to law enforcement, the average extortion fee Avaddon demanded was about $40k, meaning the ransomware operators & their affiliates quit & walked away from millions.
In its July 22 post, S2W Lab said that when infected with Haron ransomware, “the extension of the encrypted file is changed to the victim’s name.” Haron is also similar to Avaddon ransomware in that its operators are using a ransom note & operating their own leak site. In its post, S2W provided side-by-side images of ransom notes from the 2 gangs.
The 2 ransom notes read like a cut-&-paste job. S2W Lab noted that the main difference is that Haron suggests a specific ID & Password for victims to log in to the negotiation site.
There are many other similarities between Haron & Avaddon, including:
- Yet more cut-&-paste verbiage on the 2 negotiation sites.
- Nearly identical appearances of the negotiation sites, besides the ransomware name of “Avaddon” being swapped for “Haron.”
- The 2 leak sites share the same structure.
If Haron is Avaddon reborn, the ‘new bottles for the old wine’ include a strategy to induce negotiations by setting a time for the next data update. Another difference: no triple-threat play to be seen from Haron, at least not yet.
In triple-threat attacks, not only is data encrypted locally & exfiltrated before the ransom demand is made, but recalcitrant victims are also subjected to threats of distributed denial-of-service (DDoS) attack until they yield.
Also, Haron has shrunk the negotiation time to 6 days, whereas Avaddon allotted 10 days for negotiation. Another difference is in the engines running the 2 ransomwares: S2W Lab stated that Haron is running on the Thanos ransomware – a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS), that’s been sold since 2019 – whereas Avaddon was written in C++.
None of the similarities are solid proof of Avaddon having risen from the ashes like a ‘ransomware phoenix’: They could simply point to 1 or more threat players from Avaddon working on a reboot, or they could point to nothing at all.
“It is difficult to conclude that Haron is a re-emergence of Avaddon based on our analysis,” according to S2W’s writeup, which pointed out that “Avaddon developed and used their own C++ based ransomware,” whereas the publicly available Thanos ransomware that Haron is using is baked on C#.
Sentinel One’s Jim Walter told Ars that he’s seen what look like similarities between Avaddon & Haron samples, but he’ll know more soon.
As of July 22, Haron’s leak site had only disclosed 1 victim.
The 2nd ransomware newbie calls itself Black Matter. News about the new network was reported on Tues. by security firm Recorded Future – which labelled it a successor to Dark Side & REvil & by its news arm, The Record. Risk intelligence firm Flashpoint also spotted the newcomer, noting that Black Matter registered an account on the Russian-language underground forums XSS & Exploit on July 19 & deposited 4 bitcoins (approximately $150k) into its Exploit escrow account.
Both of those forums banned ransomware discussion in May, following Dark Side’s attack on Colonial Pipeline.
In the wake of that catastrophic shutdown, which sparked gas hoarding along the US East coast & an emergency order from the US Federal Govt., REvil instituted pre-moderation for its partner network, saying that it would ban any attempt to attack any government, public, educational, or healthcare organisations.
Significant New Restrictions
Referring to Dark Side’s experience, REvil’s backers stated that the group was “forced to introduce” these “significant new restrictions,” promising that affiliates that violated the new rules would be kicked out & that it would give out decryption tools for free.
Flashpoint noted that the large deposit on the Exploit forum shows that Black Matter is serious.
On July 21, the threat player stated that the network is looking to buy access to affected networks in the US, Canada, Australia, & the UK, presumably for ransomware operations. It’s offering up to $100k for network access, as well as a cut of the ransom take.
Black Matter is putting up big money because it’s after big fish. The group said that it was looking for deep-pocketed organisations with revenues of more than $100m: the size of organisations that could be expected to pay big ransoms. The threat player is also requiring that targets have 500-15,000 hosts in their networks. It’s also up for all industries, except for healthcare & governments.
‘We Are Ethical Blood Suckers’
That’s where the virtual signalling comes in. The Record reports that Backmatter’s leak site is currently empty, which means that Black Matter only launched this week & hasn’t yet carried out any network penetrations.
When it does go after victims, the list won’t include a roster of target types that is currently, supposedly, taboo to target. A section of Backmatter’s leak site lists the type of targets that are off-limits, including:
- Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
- Oil & gas industry (pipelines, oil refineries)
- Défense industry
- Non-profit companies
- Government Sector
Familiar? That’s because it’s identical for a list formerly provided on the leak site of the Dark Side gang before it supposedly went defunct following the Colonial attack. Promises not to attack these types of organisations aren’t always adhered to by these gangs’ affiliates, but Black Matter has promised that if victims from those industries are attacked, the operators will decrypt their data for free.
Digital Shadows’ Sean Nikkel explained that the careful selection of big companies reflects the increasing number of threat players that are “doing their due diligence” when it comes to selecting victims.
“We’ve seen time & again when they have some knowledge around key personalities within an organisation, revenue, size, & even customers, so the idea of ‘big game hunting’ seems to be in line with observed ransomware trends,” Nikkel commented.
He called the virtue signalling & promise to do right by the exempted industries an “interesting twist.”
“While REvil had publicly stated that everything was ‘fair game’ previously, maybe this cooling-off period from previous attention has forced a change of heart, if it is indeed them coming back,” Nikkel added.
“Interesting” is 1 way to describe it. Another way to look at it is as ‘squeaking from blood-sucking parasites’, as a commenter on Ars’ coverage suggested:
Ransomware Phoenixes or New Ratbags?
Dirk Schrader, Global VP of Security Research at New Net Technologies (NNT), outlined that anybody who didn’t see REvil, or Dark Side re-emerging might not have their head ‘screwed on right.’
There’s a “good chance” that REvil decided proactively “to take down everything & to re-emerge, just to make tracking & tracing even more difficult,” he added in.
Meantime, whatever warnings the Biden administration has been aiming at Russia or China about ‘kinetic responses’ & ‘hack-backs’ won’t change the situation, Schrader predicted. The threat players are refining their approaches to look at targets that have “a higher motivation” to pay ransom, cases in point being Kaseya & SolarWinds.
“Ransomware groups will continue to look for attack vectors that are likely to have a higher motivation for payment, & that is the next evolution in this business,” Schrader explained.
“We already see the early effects. Kaseya, SolarWinds, tools that promise access to high-value assets, where an organisation’s revenue stream & reputation depends on.”
Schrader thinks that VMware’s recently added capability of encrypting EXSi servers is “a harbinger of what will come,” pointing to CISA’s recent alert about the top routinely exploited vulnerabilities, which included a warning about CVE-2021-21985: the critical remote code execution (RCE) vulnerability in VMware vCenter Server & VMware Cloud Foundation.
“In essence, not paying a ransom is the only angle that will – over time – eradicate ransomware,” Schrader observed.
“To be positioned for that, companies will have to minimise & protect their attack surface, harden their systems & infrastructure, manage existing accounts properly & delete old ones, patch vulnerabilities according to risks, & be able to operate in a cyber-resilient manner when under attack.”