New Haron Ransomware Bears Striking Resemblance To Avaddon

It hasn’t been long since the Avaddon ransomware gang went offline and released decryption keys. Now, a spin-off of it has surfaced online. Identified as Haron, the new ransomware bears a striking resemblance with Avaddon. It also exhibits similarities with Thanos ransomware, establishing itself as an amalgam of the two notorious ransomware.

Haron Ransomware Resembles Avaddon

Researchers from SW2 Lab have shared insights about the new Haron ransomware, hinting at the rebranding of Avaddon. Haron first caught attention in July 2021.

As elaborated in their Medium post, the new ransomware bears an uncanny resemblance to the (seemingly) now-defunct Avaddon ransomware.

Briefly, analyzing Haron revealed that it uses a similar (or the same) ransomware note like that of Avaddon. Also, the new ransomware operates its dark web leak site and negotiation site on Avaddon’s domain. The difference, however, is that Haron’s negotiation site requires a password for accessing it.

Moreover, the researchers also noticed similarities in the site’s interface and strings. The threat actors tweaked the newer site a bit by removing the icon in the chat option and changing the date format.

Source: SW2 Lab

Another difference is that Haron has set a 6-day negotiation deadline, unlike Avaddon that had 10 days.

As for the malware itself, Haron uses the now published Thanos ransomware.

Is Avaddon Back?

Although, the threat actors behind Haron have played smartly to disguise the re-emergence of Avaddon. However, the striking similarities of the two evidently hint at a rebranding.

However, the lack of specialized skills with Haron, the blatant use of the publicly available Thanos ransomware code, and the use of the open-source chat feature might also hint that the threat actors have exploited the remains of Avaddon to establish another ransomware.

Whatever the case is, users, particularly enterprises, must remain wary of cyberattacks, especially ransomware threats.

Recently, the DarkSide ransomware gang has also re-emerged as BlackMatter.

Let us know your thoughts in the comments.

Related posts

NachoVPN Attack Risks Corporate VPN Clients

Sweet Security Introduces Evolutionary Leap in Cloud Detection and Response, Releasing First Unified Detection & Response Platform

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites