Thanos RaaS - A Quick Analysis

Top targets

• Many variants of this ransomware are actively targeting organizations located in Western Europe, the Middle East, and North Africa. These variants are created using the Thanos builder tool.
• On July 6 and July 9, 2020, files associated with Thanos ransomware (aka Hakbit) were observed in an attack targeting two state-run organizations located in the Middle East and North Africa.
• In June 2020, an email-based ransomware campaign was found targeting organizations located in Western Europe (Austria, Switzerland, and Germany). The attack campaign reportedly leveraged the Thanos builder tool.

Modus operandi 

• The ransomware is available as a service and offers its users the ability to create custom ransomware payloads. 
• The ransomware uses a proof of concept ransomware technique called RIPlace, to bypass anti-ransomware mitigations.
• For propagation, it uses a legitimate PsExec tool to execute the ransomware on network-connected devices.
• Thanos also spreads via common infection vectors, such as social engineering, phishing, and spam emails.

Recent updates and association

• Thanos ransomware builder was promoted as a private ransomware builder offered on Russian-speaking hacker forums since February.
• Thanos is also marketed on a profit-sharing basis, as the enlisted hackers and malware distributors receive a revenue share—of about 60-70% of ransom payments—for distributing the ransomware.

Key takeaways