Almost three quarters of ransomware attacks result in the data being encrypted. 51% of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks. There was a small difference in ransomware attack rates based on organization size. While just under half of the smaller organizations (100-1000 employees) were hit (47%), just over half (54%) of larger organizations (1001-5000 employees) were hit.
According to different sources, Ransomware Attacks have become more sophisticated as threat actors seize sensitive corporate data and take it hostage for payment. Attackers carry out many attacks, but one is to infiltrate companies and steal their data. The amount of ransom demands has increased over the years, with some claims running into the tens of millions.
Across the world, hackers are exploiting security loopholes to take corporate, government, and health-care data hostage, demanding tens of millions of dollars in payments. Ransomware, the program by which hackers take digital information hostage, has become the first choice for malware criminals in recent years. Recent cyber attacks using ransomware as a vector of attack include attacks on Massachusetts’ Colonial Pipeline, JBS, the world’s largest meat packer, and the Washington, D.C. Metropolitan Police Department.
New Ransomwares Rising by RaaS Operators
As ThreatIT already mentioned Haron is using Thanos builder recently shared on GitHub; the set of functions has hardly changed at the same time; Haron public site for negotiating the repurchase of design similar to the same area came down with Avaddon run, and used chat-bot is built on a JavaScript-script based on open source; The web interface of the Haron leaks site, located in the same domain, is licked off from Avaddon, but unlike the latter, the plagiarist does not yet threaten victims with DDoS attacks; the ransom note left on the victim’s computers also borrows text from Avaddon; the files on the Haron server still contain icons, logos and samples of stolen data that Avaddon operators used to intimidate victims.
Haron Ransomware
The first samples of the ransomware were found in early July. Like the vast majority of modern ransomware, Haron attacks mainly companies and enterprises in order to maximize its profits, and also has its own data leak site, which publishes information stolen from victims if they refuse to pay to decrypt files.
Haron is a targeted ransomware therefore it adds an extension to files according to the company name. The first victim was the CHADDAD Group. The first strain of the ransomware appended to the extension of the files “.chaddad”.
CGP Ransomware
CGP ransomware has been seen in July 2021, Most of the created time of sample analysed has been from 1st of july until 18th.
Haron Vs CGP Samples
| Malware | HARON | CGP |
| Creation Time | 2021-07-13 01:21:13 | 2021-07-16 07:35:00 |
| PEiD packer | .NET executable | .NET executable |
| File Version | 0.0.0.0 | 0.0.0.0 |
| External modules | kernel32.dllntdll.dlluser32.dllMpr.dlladvapi32.dllkernel32Netapi32.dll | kernel32.dllntdll.dlluser32.dllMpr.dlladvapi32.dllkernel32Netapi32.dll |
| IP traffic | 185.199.108.133:443 (TCP)23.35.68.210:80 (TCP)20.190.155.66:443 (TCP)104.18.6.156:80 (TCP)13.64.90.137:443 (TCP)72.21.81.240:80 (TCP)8.251.208.126:80 (TCP)20.190.155.16:443 (TCP)20.190.155.65:443 (TCP)239.255.255.250:1900 (UDP)203.0.113.1:274 (UDP) | 203.0.113.1:274 (UDP)185.199.111.133:443 (TCP)23.33.85.197:80 (TCP)20.190.155.130:443 (TCP)20.190.155.1:443 (TCP)104.18.7.156:80 (TCP)239.255.255.250:1900 (UDP)185.199.108.133:443 (TCP)72.21.81.240:80 (TCP)72.21.91.29:80 (TCP)23.50.52.96:80 (TCP)104.123.153.32:80 (TCP)104.107.203.50:80 (TCP)104.123.153.8:80 (TCP)104.18.6.156:80 (TCP)20.190.155.16:443 (TCP) |
Haron and CGP Negotiation Website:
Haron vs CGP :
 |  |
 |  |
Research and Analysis by : Jim Koohyar Biniyaz