Harvest Ransomware Attack – Details of the Data Breach Released

Harvest SAS, a leading French fintech company specializing in wealth management software, has fallen victim to a sophisticated ransomware attack. 

The ransomware attack was first detected on February 27, 2025, but Harvest publicly disclosed the incident on April 10, 2025, describing it as a “cyber incident” affecting internal systems.

Shortly after the announcement, the ransomware group Run Some Wares claimed responsibility via their dark web leak site, publishing sample stolen files and confirming the breach.

Double Extortion Tactics

According to cybersecurity firm CybelAngel, the attackers employed double extortion tactics—both encrypting internal systems and exfiltrating sensitive data for potential public release. 

Today, the full scope of the compromised data has been made public by Run Some Wares through one of their .onion sites.

Forensic analysis of the leaked directory structure reveals an extensive compromise of Harvest’s digital infrastructure. 

Technical specialists identified multiple compromised system directories, including 0. HARVEST/, Projets en cours/, Agile/, and SCRUM/ containing strategic business operations documents.

Comptabilité & Paye/, Compta & DEV & QA & Conception/, exposing accounting records and financial data.

Particularly concerning was the breach of directories such as Clés de chiffrement BDD/, Clés de chiffrement Veeam/, KeyPass/, and mdp/ which contained encryption keys and password vaults, potentially giving attackers expanded network access.

Technical assets were also compromised, with directories including Machine – Deep Learning/, IA Generative/, SQL Server Management Studio/, and oracle.sqldeveloper.* suggesting potential exposure of proprietary source code and AI models.

Security researchers note that Run Some Wares likely gained initial access through remote network vulnerabilities, potentially using techniques similar to those documented in other incidents where threat actors exploited weak passwords to bypass VPN security.

Once inside, they likely deployed tools to gather information about the victim’s network using commands such as:

These commands would compress stolen data before exfiltration.

This attack marks the fifth major operation claimed by Run Some Wares, who despite their recent emergence have quickly established a global reach targeting diverse sectors. 

Their attack methodology follows patterns observed in other ransomware groups, including the discreet use of legitimate system tools to execute malicious payloads.

Harvest, headquartered in Paris, has built a substantial portfolio of digital platforms supporting finance, real estate, and technology sectors. 

The company has not yet disclosed whether a ransom was paid or if they’re working with authorities to investigate the incident.

Cybersecurity experts recommend that organizations implement robust backup systems, employ multi-factor authentication, and regularly update security protocols to mitigate similar attacks, which have seen a 20% reduction in incident response times when proper data-driven security measures are in place.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy