Analysts from the South Korean company S2W Labs have discovered a new operation of the ransomware Haron, and note the similarity of the ransomware with such well-known malware as Thanos and Avaddon (no longer active ).
The first samples of the ransomware were found in early July. Like the vast majority of modern ransomware, Haron attacks mainly companies and enterprises in order to maximize its profits, and also has its own data leak site, which publishes information stolen from victims if they refuse to pay to decrypt files.
Researchers at S2W Labs say that from a technical point of view, Haron is built on code copied from other ransomware. So, the researchers noticed the following “parallels”:
- Haron uses the old Thanos ransomware builder to create binaries ;
- The ransomware site, where victims are asked to negotiate and pay the ransom, is almost identical to Avaddon’s site (as is the site for leaking stolen data);
- the ransom letter contains large snippets of text copied from a similar Avaddon note;
- the Haron server contains icons and images that were previously found on the official Avaddon website.
What all these similarities are connected with is still unclear. The researchers believe that the Haron operators may have hired one of the former Avaddon members, but they clearly did not have access to the source code of the Avaddon ransomware.