Security researchers at Palo Alto Networks’ Unit 42 have identified new ransomware called Thanos, which has unsuccessfully tried to lock victims’ Windows master boot records (MBRs). In June 2020, this ransomware hit many organizations in Austria, Switzerland, and Germany; this July, it affected devices in government entities in the Middle East and North Africa.
Ransomware itself is quite dangerous, as it encrypts files and requests victims pay a ransom to retrieve their data; however, in this case, we can see that Thanos is locking the Windows MBR and threatening to encrypt the entire hard drive. A researcher at Unit 42 mentioned that users need to take extra efforts to retrieve their data that’s been locked by Thanos even after hackers decrypt their files. However, because of the presence of some invalid characters in the ransom note, Thanos’ attempted encryption of the MBR hasn’t been successful.
Thanos isn't the first of its type; Petya ransomware in 2016 displayed similar encryption behaviors. Though Thanos’ encryption hasn’t been successful, attackers have still displayed the ransom note and requested $20,000 in ransom. Attackers may have accessed the device data for quite some time, as researchers were able to identify valid credentials inside the recovered samples after the attack. Attackers had used PowerShell, Shellcode, C# code, and scripts to deploy the payload to the target device and had equipped PsExec and SharpExec to spread Thanos among other Windows devices.
Thanos is available in Russian forums as a ransomware-as-a-service tool with basic build attributes. Attackers can download the basic version and customize and weaponize it for their own needs.
This ransomware comes with new tech called RIPlace, an anti-ransomware evasive technique that allows the malware to evade endpoint protection scans. Thanos also has some advanced features that make it easy to spread among other devices in a network.
Users are advised to keep their systems updated, validate incoming emails, and not open attachments unless the email is from a verified sender. Enterprises that have already equipped an antivirus solution should check with their antivirus provider for the latest definition update to detect Thanos in their network.
The RIPlace evasion technique is new, and only a few antivirus providers have updated their tools to fix this loophole. With the right malware detection tools, organizations can keep Thanos away from their network.
