Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Thanos ransomware auto-spreads to Windows devices, evades security

Thanos ransomware auto-spreads to Windows devices, evades security

The Thanos ransomware is the first to use a researcher-disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on.

Thanos first began private distribution at the end of October 2019, but it was not until January 2020 when victims seeking help for what was called then the Quimera Ransomware.

As time went on, victims continued to seek help in the BleepingComputer forums for the same ransomware, but it was now being identified as Hakbit.

In a new report by Recorded Future, we learn that this ransomware is named Thanos and is being promoted as a Ransomware-as-a-Service on Russian-speaking hacker forums since February.

Hacker forum advertisement
Source: BleepingComputer

Being promoted by a threat actor named Nosophorus, Thanos is enlisting hackers and malware distributors to distribute the ransomware. For doing so, they will receive a revenue share, which is typically around 60-70%, of any ransom payments.

Affiliates who join the Thanos RaaS gain access to a ‘Private Ransomware Builder’ that is used to generate custom ransomware executables.

Thanos ransomware builder
Source: Recorded Future

While most ransomware written in C# does not have a high level of sophistication, Thanos has numerous advanced features that make it stand out from the rest.

As you can see above, the builder allows for a wide range of features, including a built-in unencrypted file stealer, automated spreading to other devices, and the adoption of the researcher-disclosed RIPlace evasion technique.

Also read: http://www.privacy.com.sg/resources/spam-control-act-singapore/

First to use RIPlace anti-ransomware evasion

In November 2019, BleepingComputer reported on a new anti-ransomware evasion technique called RIPlace that was disclosed by the security researchers at endpoint protection firm Nyotron.

Nyotron discovered that when ransomware renames a file to a symlink created using the DefineDosDevice() function, anti-ransomware software would not accurately detect the operation.

Instead, their monitoring functions would receive an error, while the rename would still work, and thus bypass the anti-ransomware program.

If prior to calling Rename, we call DefineDosDevice (a legacy function that creates a symlink), we can pass an arbitrary name as the device name, and the original file path, as the target to point on. This way we can get our device “XY” to refer to “C:\passwords.txt”.

The RIPlace discovery is that in the callback function filter driver fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation. It returns an error when passing a DosDevice path (instead of returning the path, postprocessed); however, the Rename call succeeds.

Thanos is the first ransomware to adopt the RIPlace technique, as shown by the code below.

RIPlace technique used in Thanos
Source: Recorded Future

When Nyotron responsibly disclosed this technique to security companies, they were told by most that since it was a theoretical technique and not used in the wild, it would not be addressed.

Of the companies told, only Kaspersky and Carbon Black modified their software to prevent this technique.

We had also tested the technique against Microsoft’s Controlled Folder Access feature, which was not able to detect the method.

When we asked Microsoft about RIPlace, BleepingComputer was told that this technique is not considered a vulnerability as it does not satisfy their security servicing criteria.

“The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine.”

Built-in file theft and automatic spreading

Over the past year, ransomware operations have adopted the tactic of stealing victim’s files before encrypting a computer. The threat actors then threaten to release the stolen files on data leak sites if a ransom is not paid.

This file theft is usually done via a company’s cloud backups or through the manual copying of files to a remote location. 

Thanos includes a ftp_file_exfil() function that automatically performs file exfiltration to a remote FTP site as it encrypts a computer.

Recorded Future stated that the files stolen by default are ‘.docx’, ‘.xlsx’, ‘.pdf’, and ‘.csv’, but other extensions can be specified by the ransomware affiliate when building the ransomware executable.

Built-in data exfiltration
Source: Recorded Future

In addition to the built-in file theft, Thanos also includes a feature that will attempt to spread the ransomware laterally to other devices on the network.

When executed, Thanos will download the SharpExec offensive security toolkit from its GitHub repository. The ransomware will use SharpExec’s bundled PSExec program to copy and run the ransomware executable on other computers.

Automated spreading to other computers
Source: Recorded Future

This feature allows the ransomware affiliate to compromise a single machine and potentially use it to encrypt other devices on the network.

This is particularly devastating if the compromised user is a domain admin.

In Thanos ransom notes seen by BleepingComputer, this ransomware has been seen in targeted attacks against companies where multiple servers were encrypted.

Thanos ransom note
Source: BleepingComputer

Threat actors are continually evolving their ransomware to utilize new techniques and tactics.

They are also known to monitor the activities of researchers, developers, and journalists to improve their malware.

The adoption of the theoretical RIPlace anti-ransomware clear illustrates this.

In Thanos ransom notes seen by BleepingComputer, this ransomware has been seen in targeted company attacks where multiple servers were encrypted.

Also read: http://www.privacy.com.sg/resources/6-tips-for-cyber-safety-at-home/

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us