Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with generated payloads that can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset.
Between February and June 2020, the following features were added to the toolset:
IoCs have been retrieved but attack vector for this particular campaign is still unknown.