Rewterz Threat Alert – Thanos Ransomware: Destructive Variant

September 7, 2020

Severity

High

Analysis Summary

A ransomware attack on two state-run organizations in the Middle East and North Africa was detected that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim to transfer “20,000$” into a specified Bitcoin wallet to restore the files on the system. Below is the ransom note found on encrypted machines.

HOW_TO_DECRYPT_YOUR_FILES.txt - Notepad - This shows a Thanos ransomware message displayed to victims, including the following text: "Your files are Encrypted. Don't worry, you can return all your files! I don't want to loose your files too. If I want to do something bad to you I would've wipe all of your network but that's not helping me. :) so temporary all of your files is mine now until you pay the price of them. If you want to restore them contact me from the address below, I'll be happy to help you to get out of this situation. You've got 48 hours (2 Days), before you lost your files forever. I will treat you good if you treat me good too." The note closes with contact info, a Bitcoin wallet ID and a demand for "20,000$."

The threat group behind the use of these tools had previous access to these networks as they had already obtained valid credentials from the networks. The Thanos sample created for these networks executes several layers before the .NET Thanos ransomware runs on a system, specifically using code from several open source frameworks. The layers start at the top with a PowerShell script that not only loads another PowerShell script as a sub-layer, but also attempts to spread the ransomware to other systems on the network using previously stolen credentials. The ransomware was also configured to overwrite the master boot record (MBR), which is an important component loaded on a system’s hard drive that is required for the computer to locate and load the operating system. The ransomware overwrites the MBR to display the same ransom message as the previously mentioned text file. Thanos was first discovered in February 2020 when it was advertised for sale on underground forums. The Thanos ransomware has code overlaps with other ransomware variants, such as Hakbit, and has a builder that allows the user to customize the sample with a variety of available settings. This ransomware appears to be still under active development, as we observed newly added functionality in the samples built to run on the Middle Eastern and Northern African state-run organizations.

Impact

Files Encryption
MBR overwrite
Possible Financial Loss
Network-wide Infection

Indicators of Compromise

MD5

c9c99f0896d4ac975d245d848ffabbd5
7c12a63096a6b157564dc912e62b2773
d6d956267a268c9dcf48445629d2803e
af0e33cf527b9c678a49d22801a4f5dc
a15352badb11dd0e072b265984878a1c
7bdd4b25e222b74e8f0db54fcfc3c9eb
e01e11dca5e8b08fc8231b1cb6e2048c
be60e389a0108b2871dff12dfbb542ac
03b76a5130d0df8134a6bdea7fe97bcd

SHA-256

06d5967a6b90b5b5f6a24b5f1e6bfc0fc5c82e7674817644d9c3de61008236dc
a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
40890a1ce7c5bf8fda7bd84b49c577e76e0431e4ce9104cc152694fc0029ccbf
240e3bd7209dc5151b3ead0285e29706dff5363b527d16ebcc2548c0450db819
cbb95952001cdc3492ae8fd56701ceff1d1589bcfafd74be86991dc59385b82d
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75

SHA1

955595c0b67c835c7fabc65dea613199e0676f19
bee6c97ac6337adc22887da899d8a30acb523ade
cc0feae505dad9c140dd21d1b40b518d8e61b3a4
f6a9d604cfb384f46e48e19a9b71cf5bb278e323
85bac120e37f7bc24d875c8ca3b8c7f10806c523
94e97a6c0d62a3b225bd03b089998a4c78c60de5
4983d07f004436caa3f10b38adacbba6a4ede01a
14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
60053d661ed03cd2a07f6750532e6ef11abcc4e5

Source IP

107[.]174[.]241[.]175

URL

http[:]//107[.]174[.]241[.]175[:]80/index[.]php

Remediation

Block the threat indicators at their respective controls.
Implement a strong password policy and implement multi-factor authentication where possible.