‘Sharon’ Ransomware Attack Hits Critical Infrastructure in the Middle East
Cybersecurity firm Trend Micro has uncovered a highly sophisticated ransomware campaign dubbed “Sharon” targeting vital sectors including government and aviation across the Middle East. This newly observed ransomware strain, previously undocumented, employs advanced attack techniques mirroring those used by well-known Advanced Persistent Threat (APT) groups like the Chinese hacker collective “Earth Baksia.”
Advanced Techniques and Malicious Payload Delivery
The attackers leveraged advanced exploitation methods such as DLL side-loading, process injection, and evasion of Endpoint Detection and Response (EDR) tools to infiltrate systems. They notably used a legitimate Microsoft Edge-associated file as a vector to load a malicious DLL, which then deployed the Sharon ransomware. This ransomware disables security services, deletes backups, and leverages multithreading to expedite file encryption.
Innovative Use of Open-Source Drivers
A remarkable attack feature includes the incorporation of an open-source driver repurposed to disable defense mechanisms, suggesting the attackers are integrating cutting-edge or still-under-development tools to augment their malicious capabilities.
Targeted and Customized Ransom Demands
Unlike conventional indiscriminate ransomware attacks, Sharon’s campaign stands out by employing highly targeted ransom notes personalized with the victim organization's name, indicating a deliberate, reconnaissance-driven approach.
Speculations on Attacker Identity
Trend Micro identifies three possible origins of this campaign: a direct operation by Earth Baksia, deliberate imitation of their tactics by another actor, or a newly emerging threat group independently developing similar advanced ransomware capabilities.
Concurrent Threats and Widespread Ransomware Impact
Simultaneously, cybersecurity company eSentire revealed a separate attack campaign known as “Interlock,” which used phishing lures named “ClickFix” to deploy malware, steal data, and execute ransomware. Meanwhile, Barracuda’s statistics report that in the past year, 57% of organizations experienced successful ransomware breaches, with 32% paying ransoms, yet only 41% fully restored their data.
Conclusion: Rising Ransomware Risks Demand Vigilance
The emergence of advanced ransomware strains like Sharon underscores the escalating complexity and targeted nature of cyber threats in the Middle East. Organizations are urged to enhance security postures, employ robust backup strategies, and maintain vigilant threat intelligence awareness to counter these evolving attacks threatening critical infrastructure.