Ransomware-as-a-Service (RaaS) is increasing around the world due to the ease of use, and the increasing success that attackers are having in their cyber-attacks. Recently, researchers have observed an increase in the use of a specific piece of malware known as Thanos ransomware. This malware is unique in that it is the first to advertise the use of the RIPlace tactic. This tactic allows attackers to evade detection by altering files without being detected by common Anti-Virus engines such as Microsoft Windows Defender.
According to an article posted on ThreatPost, the utilization of RIPlace is the main reason for the increase in the use of Thanos in cyber-attacks. The ransomware code is relatively simple and allows lower skill attackers to make a profit. Ransomware-as-a-Service has blossomed into a booming industry where skilled hackers can provide code at little cost to attackers to increase their own ability to commit much more serious attacks. It has become a weapons dealership of sorts allowing people to purchase the code and customize it for their attacks.
Thanos was first observed on an underground forum in early 2020. The threat actor claiming ownership over the code identified themselves as “Nosophoros.” The malware has been updated and enhanced over the past 6 months. An attractive aspect of the malware is the configurability.
Researchers observed more than 80 Thanos victims with different configurations options enabled. One of the company-tier features is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The proof of concept showed how the malware could encrypt a victim’s files by writing the encrypted data from memory to a new file, and then using the “Rename” call to replace the original file. After this sensitive file is replaced (hence the name, “RIPlace”) it enables bad actors to bypass ransomware protections.
Another feature offered by the Thanos client is a lateral-movement function. This makes use of a legitimate security tool called SharpExec, which is specifically designed for lateral movement. The client downloads the SharpExec tools from a GitHub repository, scans the local network to get a list of online hosts, and uses the SharpExec’s functionality to then execute the Thanos client on remote computers. Other features of Thanos include the ability to exfiltrate all files with a specified set of extensions, and anti-analysis tool allowing the client to perform several checks to determine whether it is executing within a virtual machine environment, and two obfuscation options.
When encrypting the data for victims, Thanos uses a random, 32-byte string generated at runtime as a password for the AES file encryption. The string is then encrypted with the ransomware operator’s public key – and without the corresponding private key, recovering the encrypted files is impossible.
The Thanos builder includes the option to use a static password for the AES file encryption,” said researchers. If this option is selected, the clients generated by Thanos will contain the AES password used to encrypt files. Importantly, this means that if a Thanos client is recovered after encryption has occurred, there is a chance that the victims may be able to recover their files without paying the ransom.
Based on code similarity, string reuse, the ransomware extension, and the format of the ransom notes, researchers say they assess “with high confidence” that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros. Thanos is under active development by its operators. Researchers have observed the ransomware receiving positive feedback from cybercriminals on underground forums, with claims that the tool “works flawlessly” and requests to “keep the updates coming.” Recorded Future cyber researchers have not yet explicitly observed Thanos being used as part of an actual attack against a company.
Analysts believe that Thanos will continue to increase in popularity until a more efficient and effective platform come along. However, analysts also believe that strong security practices can protect companies from the ransomware strain. With information security best practices such as prohibiting external FTP connections and blacklisting downloads of known-offensive security tools, the risks associated with the two key components of Thanos data stealer and lateral movement can be averted.
What can you do to protect your organization better today?
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating with quarterly updates.
- Manage, review, and update file permissions and access for all employees.
- Phishing is usually the first step in a broader attack campaign that will lead to the injection of Trojans and other types of malware.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories, including Keyloggers, with having to connect to your network.
- RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org