Thanos Ransomware-as-a-Service

First observed in January 2020, Thanos is a C# based ransomware tool and builder created by the Nosophoros advanced persistent threat for sale through an affiliate program. Whilst sometimes referred to as Hakbit, this name describes a number of ransomware variants understood to have been created using the Thanos builder.

Threat ID:: CC-3472
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:
Published:: 28 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Nosophoros heavily advertise the Thanos builder on a number of dark web sites and hacking forums. Users who purchase it are signed up to an affiliate program, where Nosophorus offer configuration and delivery support seemingly in an attempt to ensure their attacks are successful.

All Thanos clients use the RIPlace evasion technique to bypass most security and detection mechanisms, as well as the AES algorithm for file encryption. At the time of publication, it is unclear if Thanos is able to encrypt networked drives, with all observed clients targeting local files only.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To reduce the likelihood of infection by ransomware, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages. To limit the impact of a ransomware infection, NHS Digital advises that: Critical data is frequently saved in multiple backup locations. At least one backup is kept offline at any time (separated from live systems). Backups and incident recovery plans are tested to ensure that data can be restored when needed. User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary. Infected systems are disconnected from the network and powered down as soon as practicable. Any user account credentials that may have been compromised should be reset on a clean device. Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

To reduce the likelihood of infection by ransomware, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device.
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Indicators of compromise

Main indicators

Email Addresses

hakbit@protonmail[.]com

SHA256 File Hashes

049425dac929baf288c44c981ef63417d097fb95f5199c9f33e5ef5e2ec20590
09fd6a13fbe723eec2fbe043115210c1538d77627b93feeb9e600639d20bb332
10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
17314793d751b66f4afc1fac1c0ab0c21f2c9f67e473e8ba235bc79d7e0ea1b0
23d7693284e90b752d40f8c0c9ab22da45f7fe3219401f1209c89ac98a4d7ed3
34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
3ccf57e60cdf89d04f2c7e744d73e3b40a4308a2ba87d0423c96f601d737733f
3f83fd42af95185e19e537708dccdf1539dcab1ce73783c2741b4c1929dcc020
53806ba5c9b23a43ddbfa669798d46e715b55a5d88d3328c5af15ba7f26fbadd
5849966984f270b200fd80e086d2565a5a7d4ee0743677640f45b97b46e49082
5b5802805784b265c40c8af163b465f1430c732c60dd1fbec80da95378ae45b7
794369bc9a06041f906910309b2ce45569a03c378ff0468b6335d4f653f190ab
7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6
7a7a5110cb9a8ee361c9c65f06293667451e5200d21db72954002e5725971950
7e6db426de4677efbf2610740b737da03c68a7c6295aca1a377d1df4d35959e5
81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
855dcd368dbb01539e7efa4b3fefa9b56d197db87b1ba3ede5e1f95927ea2ca3
86ed000fa2dd99f2b2341da607c904c0b510f98ead65be12b358e3f73e624cb6
871eef727aaad88b734bb372f19e72ccf38034195666c35390f5c3064f5469a3
8a2b54d273d01f8d5f42311d5402950bb9983648a39b943c729314a97ede15a2
916500065fb0037de6e95bdbeafaa69a8d3932af10e81acb02f88c6a65cb577e
916aeaa51050f25dbbcefc1be1820457e1d9d755a44d2d0cf62155f75c54127c
917905ba95c10847e0bf3bc66332ae05616a0ddd965a00ae8ec3431ed11c39d2
940df3b1cf603388cf9739cc208c1a88adfe39d2afe51e24a51878adca2be4e3
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
989a9d2e08fcba4059ebc55afc049f34d2a12bfdd1e14f468ee8b5c27c9e7bda
a1bab429b3b18fdb8e4fec493bd53e89c0f87147d902ff41a0f6dcd61c159553
a95f9d82097bdfa2dd47e075b75d09907d5913e5c15d05c926de0d8bbce9698f
aae00e2532ae5093e8c0a623bffcc4c447d04e89237438c52cb473854c715724
b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
c8f18fb0baf81b31daa929499b2dcaa7f297bd05ec1ecff319ae5e8b34dade00
cea80fe543aec9c6b4a4628ec147e8a41cac766c2cd52c0ca86a19f9ef348fc3
d1b634201a6158a90f718a082c0fe0ee1769ff4b613dd9756a34318fa61eea47
db3ef67666e18047aa24a90bfa32ca456641209147703853413d56eb74d44673
e256a9f20479f29e229f594ef6ab91be75bff9e3f0784030ac0feb8868f4abc1
e63aeb1aa61c38a5bed126b41ca587a892de0311730b892aee77541a761e1a02
e67fa8978e6c22f4d54604a54c3ac54e631128eed819d37355c2ad80e74507a5
edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e
f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
f1388fbe51253d8f07a98eabfe0422e39821d936166cc85c92a0418854ae15fb
f7d7111653c43476039efd370fb39fcdb2c22a3f1bb89013af643b45fb3af467
fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
ff1a88c2ad5df435a978c63d21a6ab0642134785284b01137e18dd235197b66d

Last edited: 29 June 2021 12:01 pm