New Ransomware Uses Sophisticated Evasion Techniques

Published at: June 11, 2020

Cybersecurity firm, Recorded Future, revealed on June 10 that a ransomware attack named “Thanos” has been promoted on a number of darknet hacking forums since February.

According to the report, Recorded Future’s Insikt Group uncovered the new ransomware-as-a-service attack.

“Ransomware-as-a-service” methods consist of allowing external hackers to use the ransomware to attack their targets in exchange for adhering to a revenue-share scheme with the developers by splitting profits of 60% - 70% approximately.

The major feature of Thanos ransomware

Speaking with Cointelegraph, Lindsay Kaye, director of operational outcomes of Insikt Group at Recorded Future, explains further the encryption’s feature used in the ransomware:

“Thanos does not have any particularly sophisticated or novel characteristics that we were able to identify, but the remarkable feature that Insikt Group found and that spurred this research is the malware’s use of the RIPlace technique in its file encryption process. Previously, the RIPlace technique was only observed in the proof of concept published by Nyotron, but the Thanos ransomware demonstrates an example of a threat actor productizing the technique for use in malware.”

The Thanos ransomware builder allows the operator to customize the software’s ransom note. They can modify the text to ask for any cryptocurrency of their choosing, not just Bitcoin (BTC).

Though it is an advertised possibility, Kaye says that so far, they have not observed the use of Monero with the ransomware.

Encryption’s level of strength

The director of operational outcomes of Insikt Group at Recorded Future advised:

“Ransomware attacks, if successful, can be hugely debilitating to companies. Because Thanos by default uses an AES encryption key that is generated at runtime, without the attacker’s private key, recovery of the files is impossible. That said, to minimize the risk of an attack using Thanos, organizations should continue to employ information security best practices for mitigating the threats posed by ransomware.”

Cointelegraph previously reported that DopplePaymer hackers leaked a number of archive files belonging to NASA through a portal operated by the gang, including HR documents and project plans. These files came from Maryland-based Digital Management Inc, or DMI, which is an IT contractor that works with several companies and government entities.

Tags
Related Posts
The Latest Ransomware Victim Is a NASA Contractor
As SpaceX and NASA celebrated their first human-operated rocket launch on May 30, cybercriminals behind a ransomware known as DopplePaymer launched an attack against one of NASA’s IT contractors. According to a blog post by the hackers, the gang managed to breach the network of the Maryland-based Digital Management Inc, or DMI. This company provides IT and cyber-security services to several Fortune 100 companies and government agencies. DopplePaymer hackers leaked almost 20 archive files belonging to NASA through a portal operated by the gang, including HR documents and project plans. Some of the employee details matched with public LinkedIn records. …
Technology / June 5, 2020
California University Pays Million-Dollar Crypto Ransom
The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1. According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.” Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said: “The data that was encrypted is …
Technology / June 30, 2020
Robotics Company Falls Prey to Ransomware Attack
Ransomware gang REvil, known for launching stolen data auctions on the dark web, is now leaking sensitive documents stolen from a US-based robotics company. According to an official blog post from REvil on June 11, the team has started leaking confidential data belonging to Symbotic LLC. The post noted: “You do not want to speak with us and you probably think that we will not publish your data. We are already publishing.” The cybercriminal group stated that they’d created a website and paid for the hosting for a year. They threatened to make the robotics company’s data visible for “a …
Technology / June 12, 2020
Report: Ransom Costs for Stolen Data Rose 200% From 2018 to 2019
On average, the ransom demanded by cryptocurrency ransomware hackers increased by 200% from 2018 to 2019. According to a report published on June 5 by cybersecurity firm Crypsis Group, the average ransom demanded by cryptocurrency ransomware groups in 2019 reached $115,123. The median ransom, on the other hand, increased by 300% from 2018’s first quarter to the last quarter to 2019, reaching over $21,700. According to Crypsis Group, ransoms have grown as hackers increasingly target enterprises and select victims who are able to pay higher sums. Just yesterday, Cointelegraph reported that ST Engineering Aerospace’s United States subsidiary fell victim to …
Technology / June 8, 2020
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic
A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant. Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant: “The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and …
Blockchain / April 16, 2020