New ‘Thanos’ Ransomware First to Weaponize RIPlace Tactic

The Thanos ransomware is the first to use a researcher disclosed RIPlace anti-ransomware evasion technique as well as numerous other advanced features that make it a serious threat to keep an eye on.

RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files, and which allows attackers to bypass various anti-ransomware methods.

Being promoted by a threat actor named Nosophorus, Thanos is enlisting hackers and malware distributors to distribute the ransomware. For doing so, they will receive a revenue share, which is typically around 60-70%, of any ransom payments. Nosophoros has continued to develop Thanos over at least the past six months, with regular updates and new features. Thanos is advertised as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model. Thanos will continue to be weaponized by threat actors either individually and collectively as part of the affiliate program.

Nyotron researchers said their goal was to alert security firms to a way that ransomware attackers could slip past their detection. Two firms, Kaspersky and Carbon Black, updated their software at time, while many others did not, according to Bleeping Computer.

Reference:

https://www.bleepingcomputer.com/news/security/thanos-ransomware-auto-spreads-to-windows-devices-evades-security/