Rewterz Threat Alert – Thanos Ransomware Auto-spreading to Windows Devices, Evading Security

Severity

High

Analysis Summary

The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on. This ransomware is named Thanos and is being promoted as a Ransomware-as-a-Service on Russian-speaking hacker forums since February.

Thanos is enlisting hackers and malware distributors to distribute the ransomware. For doing so, they will receive a revenue share, which is typically around 60-70%, of any ransom payments.

While most ransomware written in C# does not have a high level of sophistication, Thanos has numerous advanced features that make it stand out from the rest. When ransomware renames a file to a symlink created using the DefineDosDevice() function, anti-ransomware software would not accurately detect the operation. Instead, their monitoring functions would receive an error, while the rename would still work, and thus bypass the anti-ransomware program. Thanos is the first ransomware to adopt the RIPlace technique. It also shows connections to Hakbit.

In addition to the built-in file theft, Thanos also includes a feature that will attempt to spread the ransomware laterally to other devices on the network. When executed, Thanos will download the SharpExec offensive security toolkit from its GitHub repository. The ransomware will use SharpExec’s bundled PSExec program to copy and run the ransomware executable on other computers. Below is the ransom note.  

 

Impact

• Files encryption
• Security Bypass
• Detection Evasion
• Network-wide infection

Indicators of Compromise

SHA-256

• 7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
• 5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7
• 7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
• d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47
• e63aeb1aa61c38a5bed126b41ca587a892de0311730b892aee77541a761e1a02
• 940df3b1cf603388cf9739cc208c1a88adfe39d2afe51e24a51878adca2be4e3
• a1bab429b3b18fdb8e4fec493bd53e89c0f87147d902ff41a0f6dcd61c159553
• e67fa8978e6c22f4d54604a54c3ac54e631128eed819d37355c2ad80e74507a5
• b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
• 989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
• db3ef67666e18047aa24a90bfa32ca456641209147703853413d56eb74d44673
• 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
• 049425dac929baf288c44c981ef63417d097fb95f5199c9f33e5ef5e2ec20590
• f1388fbe51253d8f07a98eabfe0422e39821d936166cc85c92a0418854ae15fb
• cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3
• 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
• aae00e2532ae5093e8c0a623bffcc4c447d04e89237438c52cb473854c715724
• fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
• 23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
• e256a9f20479f29e229f594ef6ab91be75bff9e3f0784030ac0feb8868f4abc1
• 7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6
• 53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
• 871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3
• edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
• 86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6
• c8f18fb0baf81b31daa929499b2dcaa7f297bd05ec1ecff319ae5e8b34dade00
• ff1a88c2ad5df435a978c63d21a6ab0642134785284b01137e18dd235197b66d
• 3ccf57e60cdf89d04f2c7e744d73e3b40a4308a2ba87d0423c96f601d737733f
• f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
• 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
• 917905ba95c10847e0bf3bc66332ae05616a0ddd965a00ae8ec3431ed11c39d2
• 5849966984f270b200fd80e086d2565a5a7d4ee0743677640f45b97b46e49082
• 3f83fd42af95185e19e537708dccdf1539dcab1ce73783c2741b4c1929dcc020
• 794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
• 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
• f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
• 871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3
• a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
• 81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
• 916aeaa51050f25dbbcefc1be1820457e1d9d755a44d2d0cf62155f75c54127c
• 17314793d751b66f4afc1fac1c0ab0c21f2c9f67e473e8ba235bc79d7e0ea1b0
• 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
• 855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
• 09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
• befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

Remediation

• Block the threat indicators at their respective controls.
• Do not download files from untrusted emails or random sources on the internet.
• Keep all systems and software updated to latest versions.
• Maintain offline backups for all data.