Thanos is Using RIPlace Technique to Hide Itself

Malware developers often keep exploring new ways to make their malware stealthy and avoid detection by security software. One such technique called the RIPlace technique is recently being used by Thanos ransomware.

Thanos using RIPlace

Thanos developers have been working for a long time on this technique. The initial work was first observed in January 2020, and since then, continuous enhancements have been made. 
  • In July, the developers of Thanos ransomware had enhanced the malware code with some specialized tools and features. A major rebuilding of code was done in order to evade signature-based security scanners.
  • The two most striking features include a new method called RIPlace for evading antivirus software, and a new bootlocker. RIPlace technique allows the attack to make malicious alterations to the files so that it could dodge the detection by signature-based AV or Endpoint Detection & Response (EDR) products.
  • A Bootlocker feature hiders the normal boot sequence of the malware, and displays a ransom note at boot level itself.

Known TTPs

Although ransomware developers are continuously trying to enhance their tools to avoid detection, there are some commonly known traits used by the Thanos developer, knowing which can help prevent this threat.
  • Thanos ransomware is known to be spreading primarily via phishing emails.
  • Most recently, it has been trying to lure victims using financial phishing lures such as tax refund details, invoice schemes, or economic stimulus package updates.

The RIPlace Technique

The RIPlace technique, first detected in November 2019, which could encrypt files while keeping detection tools at bay. 
  • The bypass method can be executed in as little as two lines of code.
  • An attacker can use this to encrypt Windows files, allowing them to bypass the existing signature-based security defenses.