Thanos, a Ransomware-as-a-Service (RaaS), was found to be on sale on Russain underground forums in early-2020. It is being offered as a private ransomware builder with 43 different configuration options. Recently, the malware added a Windows MBR locker module.
Many variants of this ransomware are actively targeting organizations located in Western Europe, the Middle East, and North Africa. These variants are created using the Thanos builder tool.
On July 6 and July 9, 2020, files associated with Thanos ransomware (aka Hakbit) were observed in an attack targeting two state-run organizations located in the Middle East and North Africa.
In June 2020, an email-based ransomware campaign was found targeting organizations located in Western Europe (Austria, Switzerland, and Germany). The attack campaign reportedly leveraged the Thanos builder tool.
The ransomware is available as a service and offers its users the ability to create custom ransomware payloads.
The ransomware uses a proof of concept ransomware technique called RIPlace, to bypass anti-ransomware mitigations.
For propagation, it uses a legitimate PsExec tool to execute the ransomware on network-connected devices.
Thanos also spreads via common infection vectors, such as social engineering, phishing, and spam emails.
Recent updates and association
The ransomware builder tool is developed by a threat actor named Nosophoros.
Thanos ransomware builder was promoted as a private ransomware builder offered on Russian-speaking hacker forums since February.
Thanos is also marketed on a profit-sharing basis, as the enlisted hackers and malware distributors receive a revenue share—of about 60-70% of ransom payments—for distributing the ransomware.
Any individual can use the malware service to create their custom ransomware, along with anti-analysis techniques. The development of Thanos ransomware indicates that attackers have been using this service to develop customized malware for specific target audience, roles, and preferences. Organizations need to be vigilant and must proactively update their anti-malware solutions, take backup of important data, deploy secure email gateway, and network firewalls to block potential threats.