In 2019, a new strain of ransomware called Thanos burst onto the scene. This code has since been spreading quietly and seeing increased adoption by hackers around the world.
The malware was traced to a Russian hacker going by Nosophorus. He has been offering the software as ‘Ransomeware-as-a-service’ on Russian-speaking forums on the Dark Web since February 2020.
The reason for Thanos ransomware spreading popularity is that Nosophorus has monetized its spread, creating an affiliate program that shares revenue from any ransom payments collected. This is only one of several interesting and alarming features of the code.
Most of the ransomware written in C# isn’t very robust or sophisticated. However, Thanos is an exception, sporting a modular design that makes it easy to upgrade or reconfigure based on each hacker’s specific needs.
In addition to that, Thanos is the first ransomware strain that makes use of RIPlace anti-ransomware evasion techniques, which makes it notoriously difficult to detect and prevent. The technique was first discovered by a security researcher going by the name of Nyotron. He duly reported it to security companies around the world, only to be told that the technique, while interesting, was purely theoretical and would never be seen in the wild.
Sadly, those predictions have now been proved to be incorrect. Thanos code is actively making use of the evasion technology, which leaves security companies scrambling to catch up.
Microsoft on the continued spreading of Thanos Ransomware
Unfortunately, when RIPlace was described to Microsoft, a spokesman for the company had something to say.
“The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine.”
Given this and the other advanced features Thanos sports, you can bet that it’s going to see increasingly widespread use. Ultimately, this will force big tech firms to take action, but not before the malware has the opportunity to do serious damage. Be on the alert for this one. Thanos is a serious threat.
