Thanos Ransomware

The Thanos Ransomware is a file-locking Trojan that prevents digital media (with different specifiable formats per campaign) from opening. The Windows program also includes numerous advanced features for infiltrating networks, collecting data, and evading standard threat-detection metrics, particularly. Users should be watchful for possible brute-force or phishing attacks, maintain comprehensive backups, and let their updated anti-malware services remove the Thanos Ransomware on sight.

Clues Boiling Down to a New Ransomware-as-a-Service

Since 2019, periodic attacks by seemingly-independent Trojans make headway between the similar assaults of massive Ransomware-as-a-Service families. However, in retrospect, the ancestry of a Trojan can become more apparent. The Thanos Ransomware, active since 2019, is a recently-verifiable family from the Russian Dark Web with variants such as the Hakbit Ransomware and the Quimera Ransomware – and features that are far from mundane.

Although the Thanos Ransomware leverages the common, non-consensual encryption feature for blocking files, and demands ransoms from its corporate victims, it also boasts other, well-developed capabilities. The RIPlace defense, which uses the Windows renaming operation to obfuscate threatening behavior, makes the Thanos Ransomware undetectable to numerous AV vendors' heuristics. Malware experts also point to the features below being significant, especially:

• the Thanos Ransomware may collect files (by default, documents, and spreadsheets) from the infected PC and upload them to a threat actor's FTP server.
• The Thanos Ransomware possesses network propagation functionality that lets it spread throughout network-available devices and compromise their files.
• The Thanos Ransomware may delay its activation or hibernate.
• The Thanos Ransomware can disable some security programs, Windows Defender, most notably.
• The Thanos Ransomware includes a UAC-bypassing option that's highly significant for facilitating the RIPlace exploit. Microsoft dismissed the exploitability of RIPlace due to the requirement for elevated permissions initially.

The Trojan also has more cosmetic features like custom wallpaper and can reconfigure the extensions that it targets to lock. Each campaign has other, numerous customization options at its disposal, courtesy of the premium Trojan-building kit, which has a friendly, low-barrier-to-entry UI.

Outliving a Supposedly Immortal Trojan Business

The Thanos Ransomware, whose etymology derives from an ancient Greek name meaning 'immortal,' is more sophisticated and comprehensive in its set of features than even most long-running RaaS families. Its threat actor, Nosophorus, is selling access to the Trojan's kit for a percentage of the ransom proceeds, which makes its distribution, potentially, erratic and creative. However, most campaigns that leverage this family, for now, concentrate on enterprise-grade or otherwise vulnerable businesses.

Malware researchers connect many attacks of this nature to e-mail phishing lures. Criminals may customize the contents of the messages and attachments for tricking their targets into opening the Trojan's loader, through invisible exploits or activation-required macros. Secondarily, some threat actors prey on users that leave access to their systems open by choosing weak passwords that dictionary attacks can 'guess.' Appropriate security protocols can prevent these issues and shut down the Thanos Ransomware's normal distribution channels.

With only a handful of dedicated vendors flagging this threat correctly, database updates are critical for combating the family, especially. Always remove the Thanos Ransomware variants with appropriate anti-malware services, when possible, and secure and maintain backups for recovery without a ransom.

The Thanos Ransomware is an impressive piece of work for a file-locking Trojan that's becoming a cliché. As the first apparent exploiter of RIPlace, it also might become just a sign of Trojan advancements and upgrades to come throughout the year.