THANOS RANSOMWARE | RIPLACE, BOOTLOCKER AND MORE ADDED TO FEATURE SET

Deploy and manage all your firewalls, connected switches and access points, all in one easy-to-use interface.

Publicado enero 5, 2021 en Atlantic Pacific

Thanos ransomware burst onto the scene in late 2019, advertised in various forums and closed channels. Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with a customized tool to build unique payloads.

This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset.

Initial Feature Set

The original advertised general feature set in November 2019 included:

• Written in .NET
• Support for Windows 7 upward
• Simple and attractive builder interface
• Automatic updates to the builder tool(s)
• Strong encryption, via “American Government Encryption standard for communications with a large encryption key.”
• Unique encryption keys per host
• Configurable ransom note, and extensions
• Small client footprint

In those same early posts, the following more “advanced” features were highlighted:

• Multiple persistence options
• Client (payload) can be set as a critical payload (resulting in BSOD upon attempts to terminate)
• Randomized assembly data
• Anti-VM / VM-evasion
• Termination of Windows Defender and other AV products
• 100GB Maximum filesize for encryption, which can be expanded
• FTP-based logging
• Mutex-based duplication avoidance
• Configurable spreading options (network and removable drive attacks)
• Strong “obfuscation against forensics”
• Dynamic code generation
• Polymorphic clients
• Various compilation platform options

Development with RIPlace

The option to include the RIPlace technique appeared in early January 2020 and was subsequently made available to existing “customers” and “affiliates”.

Between February and June 2020, the following features were added to the toolset:

• RIPlace
• Updated FTP-based reporting
• Built-in Rootkit feature (ransomware is not stealth and invisible to Task Manager during encryption)
• Tool interface improvements
• Immortal process support expansion
• Encryption speed enhancements (advertised to fully encrypt hosts in less than 2 minutes)
• Rootkit option expanded to support Windows 7, 8, 10 on both x86 and x64 architectures
• LAN-wide ransom notes can now appear at Windows Login
• Runtime dyncheck for the ransomware client
• Support for distinguishing between upper and lower-case file extensions
• Updated Client expiration options
• LAN share encryption without having to map drives
• Updated runtime compilation
• Routine cloud-based “Refud” (updates to AV evasion)

In April 2020, an option to simply encrypt “All Files” independent of the file extensions was added along with improved network encryption methods.

Para el ver artículo original: https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/