Researchers say that a new ransomware builder tool named after the super-villain Thanos — made available for sale on dark web forums — is the first to strategically use RIPlace, a Microsoft Windows file system technique that’s known to bypass antivirus protections and endpoint detection and response solutions.

The implementation of RIPlace, combined with the ransomware’s overall ease of use and wealth of configuration options, may be why the Thanos has been gaining popularity among prospective buyers, according to researchers at Recorded Future’s Insikt Group who uncovered Thanos. These buyers are seeking to become ransomware affiliates who earn a share of illicit profits gleaned from successful extortion attacks.

The RIPlace technique, discovered and disclosed by the Nyotron Research team last year, involves altering and encrypting files in such a way that ransomware activity evades many popular detection solutions.

BleepingComputer reported in November 2019 that Kaspersky and Carbon Black had modified their software to shut down this technique; however, Nyotron reportedly told BleepingComputer that most vendors were not responsive when initially informed about RIPlace six months earlier because no attacker was actively using it in the wild.

SC Media reached out to Nyotron via email to inquire if vendors have been more responsive since then and received the following answer from Rene Kolga, VP of product strategy and head of product management: “It is likely that other AV vendors added coverage for the RIPlace evasion technique: however we have not received any direct communication [or] acknowledgement from them. It is actually fairly easy for AV vendors to properly handle this condition and it is unfortunate that the industry as a whole is so reactive.”

“The only plausible explanation that we have for this situation is that the industry still relies on enumerating all badness in the world, which is obviously an impossible task, as badness is infinite and ever evolving. It is hard to be reactive in this case,” Kolga continued.

Nyotron has previously described the RIPlance technique in detail in a technical report. Recorded Future, however notes in a company blog post that it essentially involves “a process to encrypt a target file by leveraging symbolic links through an MS-DOS device name to copy an encrypted version of the file to the original file location.”

Recorded Future reports that Thanos ransomware comes with 43 configuration options that offer users a wide range of customization, and it has been regularly updated with new features since January, when Recorded Future first observed that an actor with the alias Nosophoros had placed the builder for sale on the Exploit Forum. (In February, the researchers also spotted the tool on the XSS forum.)

According to the blog post, the Thanos client is written in C# and is “simple in its overall structure and functionality,” which is appealing to users who are “looking for ready-to-use ransomware.”

Judging from code similarity and string reuse, Recorded Future researchers have assessed with high confidence that Thanos is a derivation of the commodity ransomware known as Hakbit. It targets files with 99 different extensions and encrypts these files using the AES-256 algorithm in cipher block chaining mode. Backups and shadow copies are also deleted to prevent recovery. It either generates a random, 32-byte string at runtime as a password or the password is statically included in the binary — depending on the attacker’s choice of configuration. In the latter case, it is possible the victim may be able to recover his or her files.

Upon encrypting the files, Thanos drops a ransom note on a victim’s desktop and any folder where files were impacted.

In addition to the RIPlace technique, Thanos also leverages the SharpExec offensive security tool in order to spread laterally to remote computers connected along the local network. Thanos can also move laterally movement using magic packets sent to remote hosts via the Wake on LAN hardware feature available on certain computers.

There is also a “Data Stealer feature that exfiltrates files with specified extensions (default settings: “.docx,” “.pdf,” “.xlsx,” and “.csv”) via an FTP webclient. 

Fortunately, Insikt Group notes that following “information security best practices such as prohibiting external FTP connections and blacklisting downloads of known-offensive security tools” can impede Thanos’ ability to steal data and move laterally across organizations.