The Middle East’s Public Sector and Aviation Are at Risk from the New “Charon” Ransomware Strain

Charon has recently infiltrated Middle Eastern public sector organizations and aviation companies, according to cybersecurity firm Trend Micro. To leave little chance of recovery, the attackers use APT-level techniques, turning off antivirus software, deleting backups, and emptying recycle bins. With the victim’s name and encrypted data, each ransom note is unique, indicating a calculated and risky operation.

Although exact attribution is still unknown, preliminary evidence suggests that the operational style is very similar to the known China-linked group Earth Baxia.

Why Charon Is So Dangerous
These attacks’ accuracy and sophisticated setup suggest a highly skilled and resourceful actor. Analysts observe that:

Aggressive cleanup techniques, like deleting backups, show that the goal is not only to extract money but also to seriously damage the victim’s systems.

Because of the APT-style approach, industries with vital infrastructure, such as public administration and aviation, are particularly susceptible to disruption, data theft, and expensive recovery.

Greater Regional Background

The rise of Charon is consistent with a broader pattern of ransomware spreading throughout the Middle East:

Group-IB reported a 68% increase in ransomware incidents in the Middle East and Africa in 2023, mainly due to Access-as-a-Service (RaaS) models, with the financial and real estate sectors being the most severely affected.

Double extortion schemes, in which stolen data is threatened with public release unless the ransom is paid, frequently accompany these attacks.

What Lies Ahead

Charon’s emergence hints at an escalating cyber threat landscape. Aviation systems and public networks—already under immense pressure—must brace for potential future breaches and ramp up defenses.

Governments may need to conduct intelligence-driven operations in the interim to stop this new malware group before they launch another attack.