Thanos Ransomware as a service adds RIPlace, Bootlocker and more to feature set
Thanos is a RaaS (Ransomware as a Service) that provides buyers and affiliates with a customized tool to build unique payloads. This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Thanos RaaS was discovered in late 2019 on closed channels and forums.
The Thanos ransomware is named after a Marvel supervillain which was launched in November 2019 and by that time it has continued to evolve rapidly, with the addition of specialized tools and features. Two of the most amazing and notable recently added features include RIPlace, a method for evading antivirus software, and a boot locker that prevents infected systems from loading, said security firm SentinelOne.
The Thanos ransomware builder gives operators of the ransomware the ability to create the ransomware clients with many different options. The builder provides some default options but requires operators to configure others, such as the Bitcoin address that will be included in the ransom note. Other options can be enabled at the operator’s discretion. Once the operator has completed the configuration stage, the builder generates a .NET executable file in the directory of the operator’s choosing.
The Thanos client is written in C#. The clients generated all had randomized strings for the method names, variable names, and class names. The Thanos client will contain 12 to 17 classes depending on the options and settings selected during the building phase. Some of the classes, such as Program and Crypto, are included in every build. Others, such as NetworkSpreading and Wake on LAN, are only included in the final binary if the related option is selected.
To understand the capabilities of Thanos ransomware, Recorded Future generated over 80 clients with different configuration options enabled. This section highlights six of the key features of the ransomware.
- Encryption Process
- Lateral Movement
- Wake on LAN (WoL)
- Data Stealing
About the Thanos ransomware family, it’s clear that Thanos has been deployed consistently over the past six months. What are your views on Thanos RaaS? Do mention in the comment section below. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.