Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.
Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos,first of Ransomware family that use RIPlace tactic. Attacker can bypass AV &EDR
“Ransomware-as-a-service provides a means for less-experienced cybercriminals to employ ransomware as part of their operations, and to date, these services remain popular in underground forums.
The Thanos ransomware builder gives operators the ability to create the ransomware clients with various different options that can be used in attacks. On underground forums, it’s being sold as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model.
It has many features , one of kind is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The PoC showed how ransomware can replace a victim’s files with encrypted data, by writing the encrypted data from memory to a new file, and then using the “Rename” call to replace the original file. After this sensitive file is replaced (hence the name, “RIPlace”) it enables bad actors to bypass ransomware protections.
Another feature offered by the Thanos client is a lateral-movement function. This makes use of a legitimate security tool called SharpExec, which is specifically designed for lateral movement. The client downloads the SharpExec tools from a GitHub repository, scans the local network to get a list of online hosts, and uses the SharpExec’s functionality to then execute the Thanos client on remote computers.
Other features of Thanos include the ability to exfiltrate all files with a specified set of extensions, an anti-analysis tool allowing the client to perform several checks to determine whether it is executing within a virtual machine environment, and two obfuscation options.
Thanos uses a random, 32-byte string generated at runtime as a password for the AES file encryption.
The Thanos builder includes the option to use a static password for the AES file encryption,
It’s increasingly , Thanos becoming a popular Raas tool, still worst has to come. With best security practice in place and controlling/blocking file downloads. It can be kept in control. Security can’t be taken lightly