Rule of the Week: Thanos Ransomware

Today in the Rule of the Week section, we suggest paying attention to the rule published by Emir Erdogan. The new rule helps detect Thanos ransomware, which weaponized RIPlace tactic to bypass anti-ransomware solutions: https://tdm.socprime.com/tdm/info/QvmZLqPG91bq/LYA4D3MBSh4W_EKGVfTV/?p=1

Thanos ransomware first appeared at the end of last year, and its authors advertised it in underground forums and closed channels. It is distributed as Ransomware-as-a-Service providing even unskilled attackers with a customized tool to build unique payloads. Thanos ransomware is more complex than many previous builder-based ransomware services. Many of the options available in the Thanos builder are designed to evade security solutions. Advanced features of the ransomware also include multiple persistence options, randomized assembly data, Anti-VM / VM-evasion, termination of Windows Defender and other AV products, and configurable spreading options. Recently, ransomware authors added the use of RIPlace to avoid detection. Thanos is the first ransomware family that uses RIPlace tactic. This is a Windows file system technique, which can be used to maliciously alter files allowing ransomware to avoid detection.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Defense Evasion, Discovery

Techniques: Data Encrypted for Impact (T1486), Disabling Security Tools (T1089), Security Software Discovery (T1063), Software Discovery (T1518)