Thanos, a Ransomware-as-a-Service (RaaS), was found to be on sale on Russain underground . It is being offered as a private ransomware builder with 43 different configuration options. Recently, the malware added a Windows MBR locker module.
On July 6 and July 9, 2020, files associated with Thanos ransomware (aka Hakbit) were observed in an attack targeting two state-run organizations located in the Middle East and North Africa.
In June 2020, an email-based ransomware campaign was found targeting organizations located in Western Europe (Austria, Switzerland, and Germany). The attack campaign reportedly leveraged the Thanos builder tool.
Mode of operation
The ransomware is available as a service and offers its users the ability to create custom ransomware payloads.
The ransomware uses a proof of concept ransomware technique called RIPlace, to bypass anti-ransomware mitigations.
For propagation, it uses a legitimate PsExec tool to execute the ransomware on network-connected devices.
Thanos also spreads via common infection vectors, such as social engineering, phishing, and spam emails.
The ransomware builder tool is developed by a threat actor named Nosophoros.
Thanos ransomware builder was promoted as a private ransomware builder offered on Russian-speaking hacker forums since February.
Thanos is also marketed on a profit-sharing basis, as the enlisted hackers and malware distributors receive a revenue share—of about 60-70% of ransom payments—for distributing the ransomware.
Organizations need to be vigilant and must proactively update their anti-malware solutions, take backup of important data, deploy secure email gateway, and network firewalls to block potential threats.