New Ransomware Uses Sophisticated Evasion Techniques
Cybersecurity firm, Recorded Future, revealed on June 10 that a ransomware attack named “Thanos” has been promoted on a number of darknet hacking forums since February.
According to the report, Recorded Future’s Insikt Group uncovered the new ransomware-as-a-service attack.
“Ransomware-as-a-service” methods consist of allowing external hackers to use the ransomware to attack their targets in exchange for adhering to a revenue-share scheme with the developers by splitting profits of 60% – 70% approximately.
The major feature of Thanos ransomware
Speaking with Cointelegraph, Lindsay Kaye, director of operational outcomes of Insikt Group at Recorded Future, explains further the encryption’s feature used in the ransomware:
“Thanos does not have any particularly sophisticated or novel characteristics that we were able to identify, but the remarkable feature that Insikt Group found and that spurred this research is the malware’s use of the RIPlace technique in its file encryption process. Previously, the RIPlace technique was only observed in the proof of concept published by Nyotron, but the Thanos ransomware demonstrates an example of a threat actor productizing the technique for use in malware.”
The Thanos ransomware builder allows the operator to customize the software’s ransom note. They can modify the text to ask for any cryptocurrency of their choosing, not just Bitcoin (BTC).
Though it is an advertised possibility, Kaye says that so far, they have not observed the use of Monero with the ransomware.
Encryption’s level of strength
The director of operational outcomes of Insikt Group at Recorded Future advised:
“Ransomware attacks, if successful, can be hugely debilitating to companies. Because Thanos by default uses an AES encryption key that is generated at runtime, without the attacker’s private key, recovery of the files is impossible. That said, to minimize the risk of an attack using Thanos, organizations should continue to employ information security best practices for mitigating the threats posed by ransomware.”
Cointelegraph previously reported that DopplePaymer hackers leaked a number of archive files belonging to NASA through a portal operated by the gang, including HR documents and project plans. These files came from Maryland-based Digital Management Inc, or DMI, which is an IT contractor that works with several companies and government entities.