What is Haron Ransomware?

What is Ransomware?

Ransomware is a type of malware that encrypts a victim's files for the purpose of monetary gain, hacktivism, or cyberwarfare. Ransomware may also encrypt files on-access so that they cannot be recovered even if the attackers lose access to the victim's computer. Ransomware is also capable of spreading to other systems and presenting a threat to the network.

How does Ransomware Spread?

Ransomware is serious business, and there are plenty of ways for it to spread. One of the most common is phishing, in which an attacker impersonates a legitimate entity (such as a government) and uses that entity's credentials to gain access to a user's computer. Another is through social engineering, in which an attacker gains access to a user's computer by posing as someone they know (such as a co-worker or friend). Social engineering techniques are often used in combination with phishing techniques to increase the likelihood of infecting the target.

About Haron Ransomware

Haron ransomware is a malicious program distributed as a Win32 EXE file. Haron encrypts infected systems files and then drops a file named ESTORE_FILES_INFO.txt and RESTORE_FILES_INFO.ht, containing the ransom note. The ransomware also changes the desktop background to display a ransom note. Files encrypted by Haron ransomware are appended with a .chaddad (after the ransomware's first victim - the CHADDAD group) extension at the end.

Besides encrypting files, Haron does several operations to compromise your system further. Haron can terminate processes and can spread to other users in and out of the network via malicious attachments Themay be spread through an email attachment or by the use of a malicious web page.

Haron ransomware has also been spotted inside the following files and processes: ['chaddadshare.exe', 't50mt503j.dll', 'dedad693898bba0e4964e6c9a749d380.virobj', '6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c.exe']

Haron Ransomware Capabilities

• Performs DNS lookups 

• Queries sensitive processor information to detect virtual machines to avoid forensic analysis. 

• Uses sc.exe to modify the status of services 

• Creates a process in suspended mode

• Reads the hosts file 

• Queries a list of all running processes in the infected system

• Uses schtasks.exe or at.exe to add and modify task schedules 

• Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook 

• Alters files via the command line 

• Modifies the Windows registry using reg.exe 

• Performs a network lookup/discovery via ARP 

• Uses sc.exe to alter the status of services 

• Queries the volume information 

• Uses taskkill to terminate processes 

• Sends SSDP broadcast queries 

• Queries process information (via WMI, Win32_Process) .NET source code references suspicious native API functions 

• Downloads files from webservers via HTTP 

• Queries sensitive processor information

How to Remove Ransomware?

There are a number of ways you can remove ransomware, but the two most popular are via malware removal and system wiping. Malware removal is a bit more complex and can be tricky and, in some cases, might not be possible when it comes to ransomware. The first step is to make sure you have a reliable anti-malware program installed. The other option is to restore your system from a previous backup.

Guidelines for ransomware removal:

• Restore the system with a backup.

• Check if a decryption tool is available for Haron in order to undo the encryption done by the ransomware.

• Use an anti-malware app to scan your computer for malicious files and remove them. 

• Contact Cybersecurity professionals for further assistance.

How to Protect Against Ransomware?

There are several ways to protect yourself against ransomware. The most basic and most effective is to use good security practices, such as backing up your data, installing antivirus software, and not opening email attachments or clicking on links from unknown sources. 

Tips to protect yourself from ransomware:

• Use a reliable antivirus program that scans your computer for malicious files 

• Use caution when opening email attachments, clicking on links, downloading software, or visiting unknown web pages.

• Avoid clicking on ” friendship requests ” from people you don’t know.

• Never download files from questionable sources or visit websites that you don’t trust. 

• Use computer privacy measures to keep your personal information safe, such as installing software updates and using strong passwords.