Charon’s execution flow shows advanced evasion mechanisms and highly secure encryption methods. It creates a mutex named OopsCharonHere to avoid multiple instances, then systematically disables security services and terminates antivirus or EDR processes before encryption starts. The encryption process itself uses a hybrid model, combining Curve25519 elliptic curve cryptography with the ChaCha20 stream cipher, generating a unique 32-byte private key per victim and establishing a shared secret with an embedded hardcoded public key. The ransomware applies partial file encryption on large files for speed and efficiency while fully encrypting smaller files to ensure data inaccessibility.

Of particular concern is Charon’s anti-EDR functionality, adapted from the publicly available Dark-Kill project. The ransomware attempts to drop a driver named WWC.sys and register it as the “WWC” service, intended to disable endpoint defenses at the kernel level. Although this component remains dormant in observed variants, its presence suggests future development toward even more dangerous capabilities. With its combination of stealthy execution, robust cryptography, and targeted victim selection, Charon represents a significant escalation in ransomware sophistication, blurring the line between financially motivated cybercrime and APT-style operations.

Impact

• Gain Access
• File Encryption
• Financial Loss

Indicators of Compromise

MD5

• a1a0fd18382769745592226f1f652632

• 966a8a32fee80bba5fcf4f83cd6180fe

SHA-256

• e0a23c0d99c45d40f6ef99c901bacf04bb12e9a3a15823b663b392abadd2444e

• 739e2cac9e2a15631c770236b34ba569aad1d1de87c6243f285bf1995af2cdc2

SHA1

• 21b233c0100948d3829740bd2d2d05dc35159ccb

• a1c6090674f3778ea207b14b1b55be487ce1a2ab

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• ?Apply the latest security patches and updates to all systems, especially Windows hosts, to reduce exposure to DLL sideloading vulnerabilities.
• Restrict execution of unapproved binaries and enforce application whitelisting via solutions like Microsoft AppLocker or Windows Defender Application Control (WDAC).
• Monitor for and block unauthorized creation or execution of DLLs from non-standard directories.
• Implement endpoint detection and response (EDR) solutions with behavioral monitoring to detect sideloading, process injection, and abnormal svchost.exe activity.
• Configure file integrity monitoring for system files and critical application directories to detect unauthorized modifications.
• Regularly audit and restrict service creation permissions to prevent driver or service installation (e.g., WWC.sys).
• Disable or limit PowerShell and scripting tools where possible, or enforce script signing to prevent abuse in payload execution.
• Maintain secure, offline, and tested backups to ensure data recovery in case of ransomware encryption.
• Conduct regular threat hunting for IOCs, including SWORDLDR, DumpStack.log, mutex name OopsCharonHere, and unusual Curve25519/ChaCha20 encryption activity.
• Provide security awareness training to employees to identify phishing or social engineering attempts that may deliver the initial payload.