Thanos Ransomware: Ransomware Protections Bite the Dust

Thanos, a new Ransomware-as-a-Service (RaaS) tool, is gaining immense popularity in underground forums.

What is going on

Thanos has been discovered to be the sole ransomware family, to date, to use the researcher-disclosed RIPlace tactic. RIPlace is a Windows file system technique that can be used to maliciously alter files and allow threat actors to bypass anti-ransomware methods.

Know your history

  • The distribution of Thanos first started at the end of October 2019 and was known as Quimera ransomware.
  • By early 2020, it started being identified as Hakbit, based on core functionality, string reuse, and code similarity.
  • In a new report, the ransomware was finally identified as Thanos which is being promoted as a RaaS on Russian hacker forums, since February.
  • The discovery of Thanos coincided with a 25% surge in total ransomware attacks in the first three months of 2020, compared to the final three months of 2019.
  • Since the last six months, the operators have been tweaking their software, leading to 12-17 classes of malware.

Worth noting

  • The Thanos client is written in C#.
  • The client uses AES-256 in CBC mode to encrypt user files.
  • Thanos client also offers lateral-movement function, which leverages SharpExe.

The bottom line

It is believed that the ransomware will continue to be weaponized by its operators in different ways. Moreover, while Carbon Black and Kaspersky updated their software post-disclosure of the latest technique used by Thanos, some organizations are yet to take the step. However, with the best security practices, companies can avert this ransomware strain.