The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on. This ransomware is named Thanos and is being promoted as a Ransomware-as-a-Service on Russian-speaking hacker forums since February.
Thanos is enlisting hackers and malware distributors to distribute the ransomware. For doing so, they will receive a revenue share, which is typically around 60-70%, of any ransom payments.
While most ransomware written in C# does not have a high level of sophistication, Thanos has numerous advanced features that make it stand out from the rest. When ransomware renames a file to a symlink created using the DefineDosDevice() function, anti-ransomware software would not accurately detect the operation. Instead, their monitoring functions would receive an error, while the rename would still work, and thus bypass the anti-ransomware program. Thanos is the first ransomware to adopt the RIPlace technique. It also shows connections to Hakbit.
In addition to the built-in file theft, Thanos also includes a feature that will attempt to spread the ransomware laterally to other devices on the network. When executed, Thanos will download the SharpExec offensive security toolkit from its GitHub repository. The ransomware will use SharpExec’s bundled PSExec program to copy and run the ransomware executable on other computers. Below is the ransom note.