Our Investigation of the Harvest Ransomware Attack [Flash Report]

This blog is a summary of our latest flash report “Harvest Ransomware Attack”. Interested in reading this report as a non client? Get in touch with us to access this content.

What has been happening at Harvest SAS?

Harvest, a French fintech company, was the target of a ransomware attack carried out by the emerging group Run Some Wares.

Harvest, founded in France, is a leading fintech company headquartered in Paris. The firm specializes in creating and designing digital solutions and software tailored for professionals in wealth management. Harvest focuses on developing platforms that streamline asset management, portfolio construction, and financial analysis. Their services include wealth management software, asset CRM tools, and other solutions linked to account subscription and product management procedures.

Harvest has built a robust portfolio of digital platforms and services, supporting sectors such as finance, real estate, and technology. Their offerings include benchmark solutions for wealth management, powerful business management tools, and optimal solutions for analyzing and constructing financial offers.

An outline of the Harvest SAS data breach so far

On April 10, 2025, the Run Some Wares ransomware group claimed responsibility for compromising the France-based software firm Harvest SAS via its website, harvest[.]eu.

The attack was initially detected on February 27 but was first reported on April 10, when Harvest disclosed that it had experienced a “cyber incident” affecting its internal systems. Almost immediately, cybersecurity analysts began linking the breach to Run Some Wares, who later claimed responsibility through one of their dark web leak sites.

Within days of the breach, Run Some Wares published Harvest’s name on their leak site, along with a sample of stolen files. These included internal documents and client-related data. Today the full scope of the data leak has been made public by the group.

What was exposed in this breach?

The Harvest ransomware attack resulted in the exfiltration and exposure of a broad array of highly sensitive corporate data, impacting nearly every aspect of the company’s operations. Attackers employed double extortion tactics, both encrypting internal systems and stealing data for potential public release.

The leaked directory structure indicates compromise of:

• Core Business Operations: Folders such as 0. HARVEST/, Projets en cours/, Agile/, and SCRUM/ suggest exposure of project plans, strategy documents, meeting notes, and organizational charts.
• Financial and Accounting Data: Directories like Comptabilité & Paye/, Compta & DEV & QA & Conception/, and Back Office & Qualité/ likely contain accounting records, payroll data, and quality assurance files.
• HR and Personnel Files: Folders labeled DSI & RH/, RH/, Personnel et confidentiel/, and directories named after employee email addresses indicate exposure of employment contracts, evaluations, payroll information, and other sensitive HR documents.
• Credentials and Encryption Keys: Directories such as Clés de chiffrement BDD/, Clés de chiffrement Veeam/, KeyPass/, keepass/, and mdp/ point to the compromise of password vaults, encryption keys, and internal credentials, posing significant risk to broader infrastructure.
• Legal and Regulatory Documentation: Folders like Juridique & Comptabilité/, Finance & Juridique/, and CONFIDENTIEL - VALUANCE/ suggest access to legal records, contracts, internal audits, and documents related to compliance or corporate transactions.
• Technical and Development Assets: The presence of Machine - Deep Learning/, IA Generative/, SQL Server Management Studio/, and oracle.sqldeveloper.* indicates potential exposure of proprietary source code, AI models, scripts, and infrastructure configurations.
• Third-party and Client Data: Numerous folders reference external partners and clients, raising the risk of downstream impact.
• Internal Communications: Email archives and internal communication files were also leaked, increasing the risk of targeted phishing and social engineering.

A threat actor snapshot: Who is Run Some Wares?

Run Some Wares, the threat actor behind the recent Harvest breach, is a relatively new but rapidly emerging ransomware group.

They are also known for these key characteristics:

• Adoption of the double extortion model (encrypting data and threatening public leaks)
• Use of multiple .onion sites to leak stolen data and negotiate ransoms
• No fixed targeting pattern, but frequent attacks on finance and manufacturing sectors

Run Some Wares primarily operates on the dark web, leveraging dedicated leak sites to publish victim data and pressure organizations into ransom payments. Their infrastructure is notable for its operational maturity, with active sites already hosting sensitive data from victims worldwide.

CybelAngel analysts and other industry observers have found that Run Some Wares, despite its recent emergence, has quickly established a global reach. Their attacks span various regions and industries, with a focus on maximizing impact and visibility.

As of April 2025, Run Some Wares has claimed responsibility for five major attacks:

• Harvest (France): A leading fintech company specializing in wealth management software. The breach was discovered in April.
• Donna G. Rogers (USA): An accounting firm targeted in late February.
• Thai Metal Aluminium Co (Thailand): A manufacturing company attacked in February.
• F&V Capital Management (USA): A financial services firm targeted in February.
• Gilbert (USA): A supply chain company, with the breach discovered in late February.

Good to know

Do you know if you’ve been impacted by this leak? CybelAngel can support you from detection to remediation. Within our Dark Web Monitoring service, we scan TOR, I2P, Discord, Telegram and IRC among other platforms to keep your data safe.

Get in touch

If you are not a client but wish to have a complete picture of this threat actor, you can obtain access to this report by getting in touch.