The code has been traced to a Russian hacker going by the name Nosophorus, who has been offering the software as ‘Ransomeware-as-a-service’ on Russian-speaking forums on the Dark Web since February 2020.
The reason for Thanos’ increasing popularity is that Nosophorus has monetized its spread, creating an affiliate program that shares revenue from any ransom payments collected. This is only one of a number of interesting and alarming features about the code, however.
Most of the ransomware written in C# isn’t very robust or sophisticated. However, Thanos is an exception, sporting a modular design that makes it easy to upgrade or reconfigure based on each hacker’s specific needs.
In addition to that, Thanos is the first ransomware strain that makes use of RIPlace anti-ransomware evasion techniques, which makes it notoriously difficult to detect and prevent. The technique was first discovered by a security researcher going by the name of Nyotron. He duly reported it to security companies around the world, only to be told that the technique, while interesting, was purely theoretical and would never be seen in the wild.
Sadly, those predictions have now been proved to be incorrect. Thanos is actively making use of the evasion technology, which leaves security companies scrambling to catch up. Unfortunately, when RIPlace was described to Microsoft, a spokesman for the company had something to say.
“The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine.”
Given this and the other advanced features Thanos sports, you can bet that it’s going to see increasingly widespread use. Ultimately, this will force big tech firms to take action, but not before the malware has the opportunity to do serious damage. Be on the alert for this one. Thanos is a serious threat.