Rewterz Threat Alert – Thanos Ransomware Adds to Feature Set

Severity

Medium

Analysis Summary

Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with generated payloads that can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset. 
Between February and June 2020, the following features were added to the toolset:

• RIPlace
• Updated FTP-based reporting
• Built-in Rootkit feature (ransomware is not stealth and invisible to Task Manager during encryption)
• Tool interface improvements
• Immortal process support expansion
• Encryption speed enhancements (advertised to fully encrypt hosts in less than 2 minutes)
• Rootkit option expanded to support Windows 7, 8, 10 on both x86 and x64 architectures
• LAN-wide ransom notes can now appear at Windows Login
• Runtime dyncheck for the ransomware client
• Support for distinguishing between upper and lower-case file extensions
• Updated Client expiration options
• LAN share encryption without having to map drives
• Updated runtime compilation

IoCs have been retrieved but attack vector for this particular campaign is still unknown. 

Impact

• Files encryption
• Information theft
• Detection evasion
• Network-wide infection

Indicators of Compromise

MD5

• a4e1caab1b9642ef645b6549ca09d303
• a20a074f8ea7ae17809addf38dc400a0
• 21fa6ebdd397f14bbb68a4e3d012467e
• b8edb3062e489a16fd49868c18731a55
• 3d4d66b50ecb9e741e416a2a20e1e5b7
• 0f27d1180d28e1bcaf4d66f6b51c087c
• 874b68e73c2564b25dea17145d079006
• bd9c08451d11f7c9ccefb6dceb7e8555
• 0dcfe58d200058289ea8c13551d13ce8
• 3c31ed5362637ff3d5f94347396d753f
• dabb1e7706b4b67ff8ae5a79ab263f06
• 90e26c44e1148d5be61538932b9b14d1
• 45476cb160a030539fea7327946e8232
• 6ac55ad4d3952513e0ad61cffef7b440
• d209e35f7cb4677a6072415b1266118e
• 2a66b3b2638dfc5dfcf8aaf825993269
• efacfe855e74d597fb7f987a01ac2120
• 070940acdcf608923d044edc79ba4121
• d38f63c08174dba2225a8c8293e4fd8b

SHA-256

• 989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
• 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
• f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
• cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3
• 7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
• 7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
• 09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
• a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
• 53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
• 794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
• 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
• befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
• 855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
• d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47
• 17314793d751b66f4afc1fac1c0ab0c21f2c9f67e473e8ba235bc79d7e0ea1b0
• edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
• 23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
• 5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7
• f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
• 81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
• 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
• ff1a88c2ad5df435a978c63d21a6ab0642134785284b01137e18dd235197b66d

SHA1

• 5f44342dc0cb0c4ef3a3b3dad1e974e9c6eb9120
• 0ecff2f818565e7eb28d3a7b7d295459a868e920
• b4fe4ce027afeb9ca0b88b52891fb7c73d822d10
• ae42c46c6b8a5a60c232665abd6c9bc469021512
• da0cd782f32088c0df8cd62deda1c61b4cedd6fb
• db49455bbc76eb00a99e803aa46d5681ac60b17b
• c5517ca6e843efb0a4d2989e6ba16dde6cf7da65
• f5664b367a841643728cd90d0cb61df9e58fa4d7
• 4e04822d6b8c3087be0550dba96f0c80d84359f8
• 6be2e40bd6901462f9d87fbee63740a3971d1a75
• f086a802887c4b3ed9be69ffc018fb6ffb324f5e
• a86ba83804da1f7d2675d5994c724995fef09771
• 5b1d1de92d8b8163ac70281d6afa3113d0f86362
• 018a392975a8731735ef709e6418e5af19db3756
• f3264a5ecd6e1b3aef2884b1c35028eedcf442dc
• 4c6e634075781724cba954a76d1d831d077b7257
• caef3905436bdf99bda6a3de64b162630c527375
• 15a00d3aba362aade900374b6d159de98e8eac62
• 18529b6bef216231c34b2701eb3894ca2dd3a5ba
• 31bd11c9d4dd19185a2ea42507ba8a3651198335
• 1867a1100203ea14f9496b938c23b44a3b31ec40
• ffcc533b3b5630f405ff9e6274fc273f1bd33594

Remediation

• Block the threat indicators at their respective controls.
• Do not download file attachments from untrusted email addresses.
• Keep all systems and software updated to latest patched versions.
• Maintain offline backups for all valuable data.
• Segregate OT and IT networks where possible.