It has been reported that a new ransomware-as-a-service (RaaS) tool, called "Thanos" which provides buyers and affiliates a customization tool to build unique payloads, is spreading and gaining popularity among various underground forums and channels. This ransomware family employs the RIPlace tactics majorly used to bypass the anti-ransomware endpoint security.
Thanos ransomware primarily delivered via phishing emails. The attack campaign attracts the user with luring financial information like tax-refund details, invoice scheme etc. Upon launch the ransomware tries to terminate various security processes and system utilities to ensure thorough encryption.
Its originally advertised features in late 2019 includes auto update for builder tool, written in .NET, unique encryption keys per host , Anti-VM / VM-evasion, multiple persistence options and many more. Later RIPlace technique along with other updated features have been added during the last six months. Further noteworthy features are also added recently including disabling of 3rd party backup solutions (in addition to AV product termination), file-permission changing to capture (exfil) or encrypt more files, Bootlocker feature to display the ransom note at boot level (non UEFI / Secure Boot-protected clients), expanded support of encryption on Windows Server 2012 and many more to make it more resilient and sophisticated. This enhances threat potential of this Thanos ransomware.
More than 80 Thanos "clients" are observed with different configurations options enabled. As observed, in Thanos ransomware builder, a user may select the option to enable RIPlace, which results in a modification of the encryption process workflow to use the technique.
Thanosí encryption technique varies with the evolution of its payloads. While encrypting, Thanos uses a random, 32-byte string generated at runtime as a passphrase for the AES file encryption. The string is then encrypted with the ransomware operatorís public key and without the corresponding private key, recovering the encrypted files is extremely difficult / impossible.
However, the Thanos builder also provide feature to use a static password for the AES file encryption. In this option chosen, AES password used to encrypt files and if a Thanos client is recovered after the encryption has occurred then there is a chance of files recovery without paying ransom.
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415 81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e 23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3 989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab 855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3 8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2 09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5 a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
Countermeasures and Best practices for prevention:
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organizationís website directly through browser.
- Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
- Prohibit external FTP connections and blacklist downloads of known offensive security tools.
- All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
- Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
- Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Consider encrypting the confidential data as the ransomware generally targets common file types.
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.