haron

Haron is a ransomware group that emerged in July 2021 and is believed to share operational similarities with the Avaddon ransomware, which shut down the month prior. Haron uses a double-extortion model—encrypting victims’ data and threatening to publish stolen files on a Tor-based leak site. The ransomware is written in C# and uses the Salsa20 encryption algorithm with RSA-1024 for key protection. File extensions are typically not changed during encryption, but ransom notes named HOW TO RESTORE YOUR FILES.txt are dropped across affected systems. Initial access methods are not comprehensively documented in public sources but may include phishing campaigns and exploitation of exposed RDP services. Haron’s leak site and negotiation structure closely resemble Avaddon’s, suggesting either code reuse or a shared affiliate network.