Thanos: Ransomware 2.0

Sep 30, 2021 | Uncategorized

Background

Last year, security researchers discovered a way for ransomware to encrypt files on a computer at any time without being detected by all standard anti-virus programs. The exploit, called RIPlace [https://www.nyotron.com/riplace/], relied on an interesting legacy component in Windows to accomplish the encryption.

Many anti-virus vendors are still unable to protect against this type of attack.

Ransomware as a Service

Ransomware is all about the money. In fact, some enterprising criminals are offering ransomware-generating tools called “Ransomware as a Service,” or RaaS. This enables people who are unskilled in cybercrime to create complex ransomware that is difficult to detect. Sometimes these criminals charge for access to the tool, but frequently they take a percentage of the ransom.

Introducing Thanos

In late 2019, a new RaaS hit the scene. It was advanced, and the makers have made constant updates and improvements. In February, it added RIPlace as an option to evade anti-virus software. As of today, some of its more notable features are:

  • Anti-forensics tools which make it more difficult, if not impossible, to recover data from the hard drive
  • Disabling some 3rd party backup solutions or even deleting the backups where possible
  • Propagating across the network to infect other computers/servers it finds
  • Uploading data it captures or downloading certain cloud-based backup solutions to ensure you pay a ransom

The biggest concern is the way Thanos interacts with data. Not only will it encrypt your data, but the hackers keep a copy of your data and threaten to release it if you do not pay a ransom. We’re going to call this Datanapping, and it is a development IT experts have expected to see for quite a while. While there have been cases in the past of Datanapping, the attacks have been targeted at high-value companies instead of a more widespread attack, which is typically seen from ransomware.

Additionally, Thanos can target and delete backups and even use cloud systems to steal your data. Currently, most Thanos-built infections target large enterprises, but it is only a matter of time before they make their way into small and medium-sized business spaces.

How do you protect yourself?

Thanos is usually distributed via phishing emails, so….

  • Your first line of defense is a good spam filter, preferably one that scans the links in your email to help filter out possible malicious ones.  
  • Make sure you are doing employee training continually so that your users are less likely to click on these emails.  
  • We strongly recommend a next-generation anti-virus system, commonly referred to as endpoint detection (EDR) systems. These kinds of products will analyze the behavior or programs, helping them detect and stop new threats.
  • Ensure you have good, reliable backups. Thanos’s ability to destroy backups could mean that you need to rethink your backup strategy to ensure that you are properly protected.

While Thanos may seem scary, you can proactively protect your business against cyberattacks, including this. If you have any questions, concerns, or would like to give your business a new line of defense, reach out to us or give us a call at 844-448-7767.