Haron Season2: Rebranding in progress

Reference: Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)

We know what you are doing, Haron

The main page of the newly rebranded site

• Haron currently seems to be preparing to rebrand the extortion site.
• Haron’s servers, the current server and newly rebranded one are located on the same country and using the same hosting service.
• The newly rebranded site posted 7 more victims than the current Haron’s site and mentioned the same infected companies as Haron.

The comparison between Haron’s current site and the newly rebranded site

• They used FinalLogo.png which contains “RANSONWARE” based on mw-com-logo-removebg-preview.png which was used in the article regarding .com ransomware. We are not sure that misspelled RANSONWARE is intended or not.

Comparison between the original image and “FinalLogo.png”

• As part of the onion domain, Haron will likely rebrand under the name Midas.

“Midas” included in the onion domain

Newly rebranded site including the same resources of Avaddon & Haron

The logo of Avaddon

The logo of Haron

• The negotiation credential given to the victim is the same as Haron.

The login page of the newly rebranded site and Haron’s

• Homepage: https://s2w.inc/
• Facebook: https://www.facebook.com/S2WLAB/
• Twitter: https://twitter.com/S2W_Official