It has been reported that a new ransomware-as-a-service (RaaS) tool, called
"Thanos" which provides buyers and affiliates a customization tool to build
unique payloads, is spreading and gaining popularity among various
underground forums and channels. This ransomware family employs the RIPlace
tactics majorly used to bypass the anti-ransomware endpoint security.
Thanos ransomware primarily delivered via phishing emails. The attack
campaign attracts the user with luring financial information like
tax-refund details, invoice scheme etc. Upon launch the ransomware tries to
terminate various security processes and system utilities to ensure
thorough encryption.
Its originally advertised features in late 2019 includes auto update for
builder tool, written in .NET, unique encryption keys per host , Anti-VM /
VM-evasion, multiple persistence options and many more. Later RIPlace
technique along with other updated features have been added during the last
six months. Further noteworthy features are also added recently including
disabling of 3rd party backup solutions (in addition to AV product
termination), file-permission changing to capture (exfil) or encrypt more
files, Bootlocker feature to display the ransom note at boot level (non
UEFI / Secure Boot-protected clients), expanded support of encryption on
Windows Server 2012 and many more to make it more resilient and
sophisticated. This enhances threat potential of this Thanos ransomware.
More than 80 Thanos "clients" are observed with different configurations
options enabled. As observed, in Thanos ransomware builder, a user may
select the option to enable RIPlace, which results in a modification of the
encryption process workflow to use the technique.
Encryption strategy:
Thanos' encryption technique varies with the evolution of its payloads.
While encrypting, Thanos uses a random, 32-byte string generated at runtime
as a passphrase for the AES file encryption. The string is then encrypted
with the ransomware operator's public key and without the corresponding
private key, recovering the encrypted files is extremely difficult /
impossible.
However, the Thanos builder also provide feature to use a static password
for the AES file encryption. In this option chosen, AES password used to
encrypt files and if a Thanos client is recovered after the encryption has
occurred then there is a chance of files recovery without paying ransom.
IOC:
SHA1:
f086a802887c4b3ed9be69ffc018fb6ffb324f5e
15a00d3aba362aade900374b6d159de98e8eac62
0ecff2f818565e7eb28d3a7b7d295459a868e920
ffcc533b3b5630f405ff9e6274fc273f1bd33594
f5664b367a841643728cd90d0cb61df9e58fa4d7
4c6e634075781724cba954a76d1d831d077b7257
da0cd782f32088c0df8cd62deda1c61b4cedd6fb
caef3905436bdf99bda6a3de64b162630c527375
6be2e40bd6901462f9d87fbee63740a3971d1a75
31bd11c9d4dd19185a2ea42507ba8a3651198335
5b1d1de92d8b8163ac70281d6afa3113d0f86362
4e04822d6b8c3087be0550dba96f0c80d84359f8
a86ba83804da1f7d2675d5994c724995fef09771
c5517ca6e843efb0a4d2989e6ba16dde6cf7da65
ae42c46c6b8a5a60c232665abd6c9bc469021512
18529b6bef216231c34b2701eb3894ca2dd3a5ba
5f44342dc0cb0c4ef3a3b3dad1e974e9c6eb9120
f3264a5ecd6e1b3aef2884b1c35028eedcf442dc
b4fe4ce027afeb9ca0b88b52891fb7c73d822d10
018a392975a8731735ef709e6418e5af19db3756
db49455bbc76eb00a99e803aa46d5681ac60b17b
1867a1100203ea14f9496b938c23b44a3b31ec40
SHA256:
7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
Countermeasures and Best practices for prevention:
Don't open attachments in unsolicited e-mails, even if they come from
people in your contact list, and never click on a URL contained in an
unsolicited e-mail, even if the link seems benign. In cases of genuine URLs
close out the e-mail and go to the organization's website directly
through browser.
Install ad blockers to combat exploit kits such as Fallout that are
distributed via malicious advertising.
Prohibit external FTP connections and blacklist downloads of known
offensive security tools.
All operating systems and applications should be kept updated on a regular
basis. Virtual patching can be considered for protecting legacy systems and
networks. This measure hinders cybercriminals from gaining easy access to
any system through vulnerabilities in outdated applications and software.
Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment.
Ensure installation and use of the latest version of PowerShell, with
enhanced logging enabled. Script block logging and transcription enabled.
Send the associated logs to a centralized log repository for monitoring and
analysis.
ml
Establish a Sender Policy Framework (SPF) for your domain, which is an
email validation system designed to prevent spam by detecting email
spoofing by which most of the ransomware samples successfully reaches the
corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction
Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Users are advised to disable their RDP if not in use, if required, it
should be placed behind the firewall and users are to bind with proper
policies while using the RDP.
Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally
targets common file types.
Perform regular backups of all critical information to limit the impact of
data or system loss and to help expedite the recovery process. Ideally,
this data should be kept on a separate device, and backups should be stored
offline.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative
network from business processes with physical controls and Virtual Local
Area Networks.
References
added-to-feature-set/
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.