Thanos Ransomware Adds New Features

A ransomware tool launched late last year has emerged as one of the most complex and adaptable malware-as-a-service variants on the scene, researchers have warned.

The Thanos ransomware, named after a Marvel supervillain, launched in November 2019 and has continued to evolve rapidly, with the addition of specialised tools and features.

Two of the most notable recent additions include RIPlace, a method for evading antivirus software, and a bootlocker that prevents infected systems from loading, said security firm SentinelOne.

“This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root,” SentinelOne researcher Jim Walter wrote in an advisory.

Custom malware

Thanos allows attackers to generate customised payloads with widely varied features and options, Walter said, adding that it is currently the only widely recognised threat making use of RIPlace.

The tool’s developers began releasing updates in January and the most recent iteration appeared only last month, Walter said.

The malware also goes to unusual lengths to evade security protections.

The most recent update includes a certain amount of code rebuilding in order to evade signature-based security scanners, Walter said.

“The actors behind Thanos are very aware of their ‘clients’ needs and the attention they are getting from the security industry,” he wrote.

Phishing

As a result organisations should not rely solely on signature-based tools to protect them from such threats, Walter said.

Thanos has spread primarily via phishing emails, with more recent lures using financial-based hooks such as tax refund details, invoice schemes or economic stimulus package updates.

“Thanos is cementing its position as a primary tool for low-to-mid level criminals looking for an effective, easy-to-use malware tool that will both yield results and allow them to customise for their own specific target groups,” Walter wrote.

On the high end, SentinelOne also profiled the methods of a hacking group that used a Trickbot infection as the starting point to conduct a thorough scan of an organisation’s network before launching a Ryuk ransomware infection.

The breach indicates the lengths attackers are willing to go to in an effort to obtain ransoms that can run into the millions of pounds for high-value targets, SentinelOne said.