Thanos – Tiered Ransomware
In late January 2020, Insikt Group came across Ransomware-as-a-Service (RaaS) being sold on underground forums called ‘Thanos’, developed by an unknown actor named ‘Nosophoros’. This ransomware is sold in tiers each with their own functionality. The more expensive tier of this ransomware incorporates the RIPlace technique. This technique bypasses protection in place by antivirus software that prevent ransomware from encrypting files. This technique was originally developed in 2019 as a proof of concept from Nyotron, a security company.
Due to the nature of the malware, Thanos can be customized in different ways to fit the needs of the customer. But all variants follow a general outline upon code execution:
- The malware implements AMSI bypass, Kill Defender, and Anti-VM protections
- Kill services that prevent deletion of files and volume shadow copies
- Encrypt and upload files to an FTP server controlled by the threat actor, specified at build time
- Upload, store, and display a ransomware note on the victim’s system
- Attempt to spread to other systems on the local network
For a more detailed examination of the Thanos builder, please reference the attached PDF at the end of this post, “Thanos Builder.”
As with any ransomware attack, restoring from a secure backup is the best remediation action to take. For possible preventative measures, researchers suggest prohibiting external FTP connections and blacklisting downloads of known-offensive security tools. These actions can help to prevent the risks associated with the two key components of Thanos, data exfiltration and lateral movement.
Sources: