Thanos Ransomware First to Weaponize RIPlace Tactic

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.

Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, according to Wednesday research from Recorded Future’s Insikt Group, shared with Threatpost.

“Ransomware-as-a-service provides a means for less-experienced cybercriminals to employ ransomware as part of their operations, and to date, these services remain popular in underground forums,” Lindsay Kaye, director of operational outcomes for the Insikt Group at Recorded Future, told Threatpost. “It is hard to say whether ransomware-as-a-service itself will become more sophisticated in the future, but in general, ransomware actors are getting more sophisticated — they are investing money into adding more exploits, so this may materialize in the form of more sophisticated ransomware offered as part of the RaaS marketplace.”

Thanos was first spotted by researchers in January, up for sale on an underground forum. It was developed by a threat actor under the alias “Nosophoros.” Since then, the threat actor continued to develop Thanos over the past six months, with regular updates and new features (the new RIPlace tactic was first advertised in February, for instance).

The Thanos ransomware builder gives operators the ability to create the ransomware clients with various different options that can be used in attacks. On underground forums, it’s being sold as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model. As part of this, the Thanos builder is offered either as a monthly “light” or lifetime “company” subscription. The “company” version includes additional features, compared to the light version, such as data-stealing functionalities, RIPlace tactics and lateral-movement capabilities.

Thanos Builder

The ransomware offers various configuration options, features and classes depending on the service. Researchers observed more than 80 Thanos “clients” with different configuration options enabled.

One of the company-tier features is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The PoC showed how ransomware can replace a victim’s files with encrypted data, by writing the encrypted data from memory to a new file, and then using the “Rename” call to replace the original file. After this sensitive file is replaced (hence the name, “RIPlace”) it enables bad actors to bypass ransomware protections.

“In the Thanos ransomware builder, a user can choose to select the option to enable RIPlace, which results in a modification of the encryption process workflow to use the technique,” Kaye told Threatpost.

Thanos Ransomware Note

Another feature offered by the Thanos client is a lateral-movement function. This makes use of a legitimate security tool called SharpExec, which is specifically designed for lateral movement. The client downloads the SharpExec tools from a GitHub repository, scans the local network to get a list of online hosts, and uses the SharpExec’s functionality to then execute the Thanos client on remote computers.

Other features of Thanos include the ability to exfiltrate all files with a specified set of extensions, an anti-analysis tool allowing the client to perform several checks to determine whether it is executing within a virtual machine environment, and two obfuscation options.

When encrypting the data for victims, Thanos uses a random, 32-byte string generated at runtime as a password for the AES file encryption. The string is then encrypted with the ransomware operator’s public key – and without the corresponding private key, recovering the encrypted files is impossible.

“The Thanos builder includes the option to use a static password for the AES file encryption,” said researchers. If this option is selected, the clients generated by Thanos will contain the AES password used to encrypt files. Importantly, this means that if a Thanos client is recovered after encryption has occurred, there is a chance that the victims may be able to recover their files without paying the ransom, researchers said.

The Future of Thanos

Based on code similarity, string reuse, the ransomware extension and the format of the ransom notes, researchers say they assess “with high confidence” that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros.

Thanos is under active development by its operators: Researchers have observed the ransomware receiving positive feedback from cybercriminals on underground forums, with claims that the tool “works flawlessly” and requests to “keep the updates coming.” That said, to date, Recorded Future researchers have not yet explicitly observed Thanos being used as part of an actual attack against a company, Kaye told Threatpost.

Researchers believe that Thanos will continue to be weaponized by threat actors, either individually, or collectively as part of its affiliate program. However, they said that “security best practices” can protect companies from the ransomware strain.

“With information security best practices such as prohibiting external FTP connections and blacklisting downloads of known-offensive security tools, the risks associated with the two key components of Thanos — data stealer and lateral movement — can be averted,” said researchers.