Harvest Ransomware Attack – Details of the data breach released

French fintech heavyweight Harvest SAS, renowned for its digital wealth management solutions, has become the latest high-profile victim in a string of sophisticated ransomware attacks.

The breach, orchestrated by the emerging cybercriminal group Run Some Wares, has exposed a wide array of sensitive corporate and client data, underscoring the escalating threat landscape facing the financial technology sector.

What Happened at Harvest SAS?

According to the report, Harvest SAS, headquartered in Paris, is a leading provider of digital platforms for wealth management professionals.

Its portfolio includes asset management software, CRM tools, and business management solutions tailored for finance, real estate, and technology sectors.

On April 10, 2025, Run Some Wares publicly claimed responsibility for compromising Harvest via its official website, harvest[.]eu.

The attack was initially detected on February 27, but only disclosed by Harvest in April after internal investigations confirmed a “cyber incident” impacting core systems.

Anatomy of the Data Breach

The breach followed a classic ransomware kill chain:

• Initial Access: Attackers exploited a virtual machine hosted by a third-party provider, bypassing some of Harvest’s robust defenses, including endpoint detection and response (EDR), extended detection and response (XDR), SIEM, and patch management systems. However, multi-factor authentication (MFA) was not universally enforced, leaving certain accounts vulnerable.
• Double Extortion Tactics: Run Some Wares employed a double extortion model—encrypting internal systems while exfiltrating data for leverage. Victims were pressured to pay a ransom in Bitcoin, with the threat of public data leaks on dedicated .onion (dark web) sites.
• Data Leak: Within days, the group published Harvest’s name and a sample of stolen files on their leak site, later releasing the full data set after ransom negotiations stalled.

What Was Exposed?

The attackers exfiltrated a comprehensive range of sensitive data, as revealed by the leaked directory structure:

• Core Business Operations: Folders such as 0. HARVEST/, Projets en cours/, Agile/, and SCRUM/ exposed project plans, strategy documents, and organizational charts.
• Financial and Accounting Data: Directories like Comptabilité & Paye/, Compta & DEV & QA & Conception/, and Back Office & Qualité/ likely contained accounting records, payroll data, and quality assurance files.
• HR and Personnel Files: Folders labeled DSI & RH/, RH/, and Personnel et confidentiel/, along with directories named after employee email addresses, indicate exposure of employment contracts, evaluations, and payroll information.
• Credentials and Encryption Keys: Directories such as Clés de chiffrement BDD/, Clés de chiffrement Veeam/, KeyPass/, keepass/, and mdp/ point to the compromise of password vaults and internal credentials, posing a significant risk to the broader infrastructure.
• Legal and Regulatory Documentation: Folders like Juridique & Comptabilité/, Finance & Juridique/, and CONFIDENTIEL - VALUANCE/ suggest access to legal records and compliance documents.
• Technical and Development Assets: Evidence of compromised proprietary source code, AI models, and infrastructure configurations was found in directories such as Machine - Deep Learning/, IA Generative/, and SQL Server Management Studio/.
• Third-party and Client Data: Numerous folders referenced external partners and clients, raising the risk of downstream impact.
• Internal Communications: Email archives and communication files were also leaked, increasing the risk of targeted phishing and social engineering.

Who runs Some Wares?

Run Some Wares is a relatively new but rapidly growing ransomware group, first publicly identified in February 2024. The group is notorious for:

• Double Extortion Model: Encrypting data and threatening public leaks.
• Dark Web Operations: Using multiple .onion sites for data leaks and ransom negotiations.
• Diverse Targeting: No fixed pattern, but frequent attacks on finance and manufacturing sectors.
• Operational Maturity: Their infrastructure already hosts sensitive data from victims worldwide.

As of April 2025, Run Some Wares has claimed responsibility for five major attacks, including on Harvest SAS (France), Donna G. Rogers (USA), Thai Metal Aluminium Co (Thailand), F&V Capital Management (USA), and Gilbert (USA).

Sector-Wide Implications

The Harvest breach exemplifies the record-breaking surge in ransomware attacks in 2025, with double extortion and data exfiltration now the norm.

The incident highlights the importance of comprehensive cybersecurity, including universal MFA, regular credential audits, and proactive dark web monitoring.

Harvest continues to investigate the full impact and is working with cybersecurity experts to remediate the breach and notify affected clients.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates