Articles Haron and CGP Ransomware: Same Malware used by Different...

Haron and CGP Ransomware: Same Malware used by Different Threat Actors

-

Almost three quarters of ransomware attacks result in the data being encrypted. 51% of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks. There was a small difference in ransomware attack rates based on organization size. While just under half of the smaller organizations (100-1000 employees) were hit (47%), just over half (54%) of larger organizations (1001-5000 employees) were hit.  

According to different sources, Ransomware Attacks have become more sophisticated as threat actors seize sensitive corporate data and take it hostage for payment. Attackers carry out many attacks, but one is to infiltrate companies and steal their data. The amount of ransom demands has increased over the years, with some claims running into the tens of millions.

Across the world, hackers are exploiting security loopholes to take corporate, government, and health-care data hostage, demanding tens of millions of dollars in payments. Ransomware, the program by which hackers take digital information hostage, has become the first choice for malware criminals in recent years. Recent cyber attacks using ransomware as a vector of attack include attacks on Massachusetts’ Colonial Pipeline, JBS, the world’s largest meat packer, and the Washington, D.C. Metropolitan Police Department.

New Ransomwares Rising by RaaS Operators 

As ThreatIT already mentioned Haron is using Thanos builder recently shared on GitHub;  the set of functions has hardly changed at the same time; Haron public site for negotiating the repurchase of design similar to the same area came down with Avaddon run, and used chat-bot is built on a JavaScript-script based on open source; The web interface of the Haron leaks site, located in the same domain, is licked off from Avaddon, but unlike the latter, the plagiarist does not yet threaten victims with DDoS attacks;  the ransom note left on the victim’s computers also borrows text from Avaddon; the files on the Haron server still contain icons, logos and samples of stolen data that Avaddon operators used to intimidate victims. 

Haron Ransomware 

The first samples of the ransomware were found in early July. Like the vast majority of modern ransomware, Haron attacks mainly companies and enterprises in order to maximize its profits, and also has its own data leak site, which publishes information stolen from victims if they refuse to pay to decrypt files.

Haron is a targeted ransomware therefore it adds an extension to files according to the company name. The first victim was the CHADDAD Group. The first strain of the ransomware appended to the extension of the files “.chaddad”. 

CGP Ransomware

CGP ransomware has been seen in July 2021, Most of the created time of sample analysed has been from 1st of july until 18th. 

Haron Vs  CGP Samples 

MalwareHARONCGP
Creation Time2021-07-13 01:21:132021-07-16 07:35:00
PEiD packer.NET executable .NET executable 
File Version0.0.0.00.0.0.0
External moduleskernel32.dllntdll.dlluser32.dllMpr.dlladvapi32.dllkernel32Netapi32.dllkernel32.dllntdll.dlluser32.dllMpr.dlladvapi32.dllkernel32Netapi32.dll
IP traffic185.199.108.133:443 (TCP)23.35.68.210:80 (TCP)20.190.155.66:443 (TCP)104.18.6.156:80 (TCP)13.64.90.137:443 (TCP)72.21.81.240:80 (TCP)8.251.208.126:80 (TCP)20.190.155.16:443 (TCP)20.190.155.65:443 (TCP)239.255.255.250:1900 (UDP)203.0.113.1:274 (UDP)203.0.113.1:274 (UDP)185.199.111.133:443 (TCP)23.33.85.197:80 (TCP)20.190.155.130:443 (TCP)20.190.155.1:443 (TCP)104.18.7.156:80 (TCP)239.255.255.250:1900 (UDP)185.199.108.133:443 (TCP)72.21.81.240:80 (TCP)72.21.91.29:80 (TCP)23.50.52.96:80 (TCP)104.123.153.32:80 (TCP)104.107.203.50:80 (TCP)104.123.153.8:80 (TCP)104.18.6.156:80 (TCP)20.190.155.16:443 (TCP)

Haron and CGP Negotiation Website: 

Haron vs CGP : 

Research and Analysis by : Jim Koohyar Biniyaz

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you