Today in the Rule of the Week section, we suggest paying attention to the rule published by Emir Erdogan. The new rule helps detect Thanos ransomware, which weaponized RIPlace tactic to bypass anti-ransomware solutions:

Thanos ransomware first appeared at the end of last year, and its authors advertised it in underground forums and closed channels. It is distributed as Ransomware-as-a-Service providing even unskilled attackers with a customized tool to build unique payloads. Thanos ransomware is more complex than many previous builder-based ransomware services. Many of the options available in the Thanos builder are designed to evade security solutions. Advanced features of the ransomware also include multiple persistence options, randomized assembly data, Anti-VM / VM-evasion, termination of Windows Defender and other AV products, and configurable spreading options. Recently, ransomware authors added the use of RIPlace to avoid detection. Thanos is the first ransomware family that uses RIPlace tactic. This is a Windows file system technique, which can be used to maliciously alter files allowing ransomware to avoid detection.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Impact, Defense Evasion, Discovery

Techniques: Data Encrypted for Impact (T1486), Disabling Security Tools (T1089), Security Software Discovery (T1063), Software Discovery (T1518)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts