Ransom.Win64.CHARON.THGBCBE

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following mutexes to ensure that only one of its copies runs at any one time:

• OopsCharonHere

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• sophos
• sql
• stc_raw_agent
• svc$
• veeam
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• VSNAPVSS
• vss
• YooBackup
• YooIT
• zhudongfangyu

It terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefox.exe
• infopath.exe
• isqlplussvc.exe
• msaccess.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• notepad.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sql.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

Other Details

This Ransomware does the following:

• It empties the Recycle Bin to eliminate deleted files permanently
• It removes shadow copies and backup data to prevent file recovery.
• It encrypts files based on their size using a variable encryption pattern:
  • Files ≤ 64KB: Entire file is encrypted.
  • Files between 64KB and 5MB: Encrypts 3 segments — start (0%), middle (50%), and end (75%).
  • Files between 5MB and 20MB: Encrypts 5 evenly distributed segments across the file.
  • Files >20MB: Encrypts 7 key positions — 0%, 12.5%, 25%, 50%, 75%, 87.5%, and near the end (~95%).
• It adds this specific marker to each encrypted file:
  • hCharon is enter to the urworld!
• It has the capability to create a malicious service as part of its Anti-EDR strategy:
  • WWC
  • Executes from %System%\WWC.sys

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It accepts the following parameters:

• --debug= → Enable logging and save to debug log
• --shares= → Encrypt specific network shares excluding ADMIN$
• --paths= → Encrypt specific directories
• --sf → Shares First, encrypt network shares first

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• How To Restore Your Files.txt

It avoids encrypting files found in the following folders:

• #recycle
• $Recycle.Bin
• All Users
• AppData
• autorun.inf
• Boot
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• Google
• iconcache.db
• Internet Explorer
• Mozilla
• Mozilla Firefox
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• Opera
• Opera Software
• Program Files
• Program Files (x86)
• ProgramData
• thumbs.db
• Tor Browser
• Windows
• Windows.old

It appends the following extension to the file name of the encrypted files:

• .Charon

It drops the following file(s) as ransom note:

• {Encrypted Path}\How To Restore Your Files.txt
  
  
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .Charon