Developed by the Nosophoros cybergang, the Thanos ransomware discovered in January 2020 has unusual protection capacities. Using the RIPlace technique, the malware is able to bypass the system and network measures used to deactivate it.
Between cyber hackers and security officials, it’s an eternal game of cat and mouse. But sometimes the mouse can be particularly difficult to neutralize. This is the case of the Thanos ransomware, discovered in January 2020 by Inskit Group which published a report to better understand its operation. It is the group of cyber hackers operating under the surname Nosophoros which happens to be behind Thanos, and which offers for sale on the dark web a customizable version in 43 possible configurations of this malware to adapt as closely as possible to the needs of cyber crooks . The distribution mode, ransomware as-a-service type coupled with updates and new functions, shows how much the operator behind Thanos professionalizes its activity.
“The Thanos client is simple in structure and general functionality. It is written in C # and is easy to understand despite its obfuscation [consistant à rendre un exécutable ou un code source illisible et difficile à comprendre par un être humain ou un décompilateur, NDLR], and although it incorporates more advanced functionalities such as the RIPlace technique, ”explains Inskit Group. This malware integrates 12 to 17 classes, including a common core Program and Crypto, then others like NetworkSpreading, Wake on LAN, depending on the “options” chosen by the buyers of this ransomware. The RIPlace technique embedded in Thanos consists in increasing the capacity of this malware to bypass the defenses put in place by corporate security teams (anti-virus, firewalls …) to deactivate it. “With security best practices such as banning external FTP connections and blacklisting known offensive security tools, the risks associated with the two key components of Thanos – Data Stealer and Lateral Movement (via the tool SharpExec) – can be avoided, ”says Inskit Group.
Kaspersky and Carbon Black at the stop to fix the RIPlace vulnerability
“The Thanos client uses AES-256 in CBC mode to encrypt user files. The key used for AES encryption is derived from a password and a salt which is made through the Windows function call rfc2898DeriveBytes. Once the Thanos client has used this key to encrypt all the files he discovers, he uses an integrated RSA 2048 public key to encrypt the AES password used. The base64 string of this encrypted password is added to the ransom note, asking the victim to send the encrypted password string to threat actors to decrypt their files. The private key associated with the public key used to encrypt the password is required to decrypt the AES password. Only the operator who created the Thanos client should have access to the private key, ”said Inskit Group.
The RIPlace technique used by Thanos was first the subject of a POC by Nyotron in November 2019. The latter warned providers of security solutions including Microsoft. But at the time, this technique was not considered a vulnerability by most of them, except for Kaspersky and Carbon Black (acquired by VMware) who modified their software accordingly. In early 2020, Inskit Group was able to observe on the dark web and on cyber pirate forums that the RIPlace technique was starting to be implemented.
A chance to recover data without paying
All is not lost however: “If a dynamic key is chosen, before starting the encryption process, the Thanos client uses the Windows RNGCryptoServiceProvider to generate a random base64 string of 32 bytes which will be used as password AES. If the Thanos client is configured to use a static password, it is stored in the binary itself. This means that if a Thanos client is recovered after encryption, there is still a chance for Thanos victims to recover their files without paying a ransom, “says Inskit Group. However, according to the latest analyzes from the firm, Nosophoros has received positive signals from the pirate community, saying that the tool “works perfectly” and enjoins the cybergang to “keep the updates coming”. For Nosoporos, it’s business as usual.