It hasn’t been long since the Avaddon ransomware gang went offline and released decryption keys. Now, a spin-off of it has surfaced online. Identified as Haron, the new ransomware bears a striking resemblance with Avaddon. It also exhibits similarities with Thanos ransomware, establishing itself as an amalgam of the two notorious ransomware.
Haron Ransomware Resembles Avaddon
Researchers from SW2 Lab have shared insights about the new Haron ransomware, hinting at the rebranding of Avaddon. Haron first caught attention in July 2021.
As elaborated in their Medium post, the new ransomware bears an uncanny resemblance to the (seemingly) now-defunct Avaddon ransomware.
Briefly, analyzing Haron revealed that it uses a similar (or the same) ransomware note like that of Avaddon. Also, the new ransomware operates its dark web leak site and negotiation site on Avaddon’s domain. The difference, however, is that Haron’s negotiation site requires a password for accessing it.
Moreover, the researchers also noticed similarities in the site’s interface and strings. The threat actors tweaked the newer site a bit by removing the icon in the chat option and changing the date format.
Another difference is that Haron has set a 6-day negotiation deadline, unlike Avaddon that had 10 days.
As for the malware itself, Haron uses the now published Thanos ransomware.
Is Avaddon Back?
Although, the threat actors behind Haron have played smartly to disguise the re-emergence of Avaddon. However, the striking similarities of the two evidently hint at a rebranding.
However, the lack of specialized skills with Haron, the blatant use of the publicly available Thanos ransomware code, and the use of the open-source chat feature might also hint that the threat actors have exploited the remains of Avaddon to establish another ransomware.
Whatever the case is, users, particularly enterprises, must remain wary of cyberattacks, especially ransomware threats.
Recently, the DarkSide ransomware gang has also re-emerged as BlackMatter.
Let us know your thoughts in the comments.