Thanos 💀… A review on Ransomware as a service

Thanos, a Ransomware-as-a-Service (RaaS), was found to be on sale on Russain underground . It is being offered as a private ransomware builder with 43 different configuration options. Recently, the malware added a Windows MBR locker module.

Targeted victims

On July 6 and July 9, 2020, files associated with Thanos ransomware (aka Hakbit) were observed in an attack targeting two state-run organizations located in the Middle East and North Africa.

In June 2020, an email-based ransomware campaign was found targeting organizations located in Western Europe (Austria, Switzerland, and Germany). The attack campaign reportedly leveraged the Thanos builder tool.

Mode of operation

The ransomware is available as a service and offers its users the ability to create custom ransomware payloads.

The ransomware uses a proof of concept ransomware technique called RIPlace, to bypass anti-ransomware mitigations.
For propagation, it uses a legitimate PsExec tool to execute the ransomware on network-connected devices.

Thanos also spreads via common infection vectors, such as social engineering, phishing, and spam emails.

The ransomware builder tool is developed by a threat actor named Nosophoros.
Thanos ransomware builder was promoted as a private ransomware builder offered on Russian-speaking hacker forums since February.

Thanos is also marketed on a profit-sharing basis, as the enlisted hackers and malware distributors receive a revenue share—of about 60-70% of ransom payments—for distributing the ransomware.

Organizations need to be vigilant and must proactively update their anti-malware solutions, take backup of important data, deploy secure email gateway, and network firewalls to block potential threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s