Reference: Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
We know what you are doing, Haron
- Haron currently seems to be preparing to rebrand the extortion site.
- Haron’s servers, the current server and newly rebranded one are located on the same country and using the same hosting service.
- The newly rebranded site posted 7 more victims than the current Haron’s site and mentioned the same infected companies as Haron.
- They used FinalLogo.png which contains “RANSONWARE” based on mw-com-logo-removebg-preview.png which was used in the article regarding .com ransomware. We are not sure that misspelled RANSONWARE is intended or not.
- As part of the onion domain, Haron will likely rebrand under the name Midas.
Newly rebranded site including the same resources of Avaddon & Haron
- The negotiation credential given to the victim is the same as Haron.
- Homepage: https://s2w.inc/
- Facebook: https://www.facebook.com/S2WLAB/
- Twitter: https://twitter.com/S2W_Official