July has witnessed the emergence of two new ransomware-as-a-service (RaaS) groups, Haron and BlackMatter. Cybersecurity experts have been closely examining the attacks that these groups are believed to be responsible for and have discovered links to some well known RaaS operations that have recently gone quiet – Avaddon, REvil, and DarkSide.

There is still no solid proof of a connection aside from a range of similarities which suggest that either the Avaddon, REvil, and DarkSide RaaS operations have reorganized their attacks or that those who worked on these attacks have begun their own group. 

Even though it is forbidden to advertise RaaS operations on some cybercrime forums, the BlackMatter RaS has been advertising for affiliates on Russian speaking cybercrime forums – even though they are not stating outright that this is an RaaS operation. A user referred to as “BlackMatter” created an account on July 19 on both the XSS and Exploit criminal forums looking for help seeking assistance to register on the networks of U.S., UK, Australian, or Canadian businesses with more than $100 million in annual revenues. They also made it clear that they were not seeking access to state institutions or any targets in the healthcare sector. This was not long after REvil and Avaddon revealed that they would also cease these types of attacks following the colonial pipeline attack.

An Escrow account, to be used to settle disputes over payments, was set up by the BlackMatter operator with a $120,000 deposit. A reward of between $3K and $100K is being offered by the group along with a share in any ransoms earned in exchange for access. The BlackMatter operators boast that their group uses the strongest features of DarkSide, REvil, and LockBit, all three of which are believed to have operated from inside Russia.

Similarities were identified between BlackMatter and REvil and DarkSide by several cybersecurity groups, with Recorded Future labelling BlackMatter as the heir to DarkSide and REvil, although proof remains circumstantial at this point in time.  For example, BlackMatter is very similar to BlackLivesMatter, which was the label for the Windows registry used by REvil. Mandiant reports that it has found some proof which indicates at least one member of the DarkSide operation working with Black Matter, although that individual may just be an affiliate that has moved their partnership.

S2W Lab has found similarities between Haron ransomware and Avaddon, notably a largely copy and pasted ransom note, similar appearances and wording on the ransom negotiation sites, the same structures on the data leak sites, and identical sections of JavaScript code for chat. However, while the Avaddon gang created its own ransomware, Haron was created using the Thanos ransomware.

There may be nothing in the similarities, or the code was just stolen by the BlackMatter creator to save time, as there are some significant differences between the two. As has been previously stated here, no clear proof has been found to indicate that Avaddon and Haron are one and the same.

Cybersecurity experts have ongoing investigations into the new groups, but regardless of who is managing the operations, their aims look quite similar. Both are focusing on large businesses with a lot of revenue and if the RaaS operations that have gone quiet remain out of action, there will be any affiliates looking for a new RAAS operation to avail of.