Thanos/Hakbit Ransomware Uses RIPlace Evasion Method

What Is It?

A new ransomware, Thanos (named by its creator) was recently described by researchers from Recorded Future as the first ransomware variant that makes use of the RIPlace anti-ransomware evasion method.

Details of the RIPlace evasion method were released by Nyotron researchers in November 2019. Nyotron followed responsible disclosure practices and had advised numerous endpoint security vendors of the issue six months prior to publicly releasing the details. RIPlace allows ransomware to bypass anti-ransomware protections used by endpoint security products and by Windows 10 itself.

RIPlace uses a slight variation on a method that ransomware uses to replace the original file with an encrypted version. This method involves copying the encrypted file data from memory to a new file and then renaming that file to replace the original file. The RIPlace method creates a DOS device name that points to the original file and is passed to the rename command. It requires very little in the way of code changes. RIPlace also bypasses the Controlled Folder Access feature built into Windows 10.

Thanos was first discovered in January 2020 and sold on Russian hacker forums, using the RaaS (Ransomware as a Service) model. Researchers believe that Thanos was originally distributed privately in October 2019. Over time the ransomware has continued to be developed, with newer Thanos variants renamed to Hakbit.

As expected of RaaS malware, subscribers are given access to a tool in order to create their own specific variants of the ransomware. This allows them to choose various options relating to the configuration of the ransomware, including anti-analysis techniques, the filename extensions to encrypt, the filename extension to be added to encrypted files and a specific date and time when the encryption process will begin. This option gives attackers time to wait until the maximum number of endpoints in a network is infected and then have each endpoint encrypt files at the same time for maximum impact. Also optional is the exfiltration of files of certain file types via FTP prior to their encryption, as the threat of releasing these files publicly is then used in order to coerce the victim organization to pay the ransom in a timely manner. The ransomware can also be instructed via configuration to attempt to spread to other systems on the network, using the legitimate PSExec tool and wake-on-LAN magic packets.

One interesting option that attackers should use judiciously is setting a static password for file encryption, rather than the more secure choice of a randomly generated password which is then encrypted with the attacker’s RSA public key. If a static password is used and a sample of the ransomware used to encrypt a given set of files is identified and analyzed, it is highly likely the files could be decrypted. The inclusion of this option may be more appealing to less skilled attackers, for whom the concept of public/private key cryptography might be too advanced.

How Does It Propagate?

If enabled, the malware can make use of the legitimate PsExec command-line tool to copy and execute the ransomware on other network-connected devices. The most common attack vector for most initial ransomware infections remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

A total of 42 publicly available samples of Thanos and Hakbit ransomware were listed in the Recorded Future research. BluVector’s patented Machine Learning Engine (MLE) detected them all, with regression testing showing the samples would have been detected an average of 67 months prior to their release.

All Threat Reports