Categories: SecurityWorkspace

Thanos Ransomware Adds New Features

A ransomware tool launched late last year has emerged as one of the most complex and adaptable malware-as-a-service variants on the scene, researchers have warned.

The Thanos ransomware, named after a Marvel supervillain, launched in November 2019 and has continued to evolve rapidly, with the addition of specialised tools and features.

Two of the most notable recent additions include RIPlace, a method for evading antivirus software, and a bootlocker that prevents infected systems from loading, said security firm SentinelOne.

“This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root,” SentinelOne researcher Jim Walter wrote in an advisory.

Custom malware

Thanos allows attackers to generate customised payloads with widely varied features and options, Walter said, adding that it is currently the only widely recognised threat making use of RIPlace.

The tool’s developers began releasing updates in January and the most recent iteration appeared only last month, Walter said.

The malware also goes to unusual lengths to evade security protections.

The most recent update includes a certain amount of code rebuilding in order to evade signature-based security scanners, Walter said.

“The actors behind Thanos are very aware of their ‘clients’ needs and the attention they are getting from the security industry,” he wrote.


As a result organisations should not rely solely on signature-based tools to protect them from such threats, Walter said.

Thanos has spread primarily via phishing emails, with more recent lures using financial-based hooks such as tax refund details, invoice schemes or economic stimulus package updates.

“Thanos is cementing its position as a primary tool for low-to-mid level criminals looking for an effective, easy-to-use malware tool that will both yield results and allow them to customise for their own specific target groups,” Walter wrote.

On the high end, SentinelOne also profiled the methods of a hacking group that used a Trickbot infection as the starting point to conduct a thorough scan of an organisation’s network before launching a Ryuk ransomware infection.

The breach indicates the lengths attackers are willing to go to in an effort to obtain ransoms that can run into the millions of pounds for high-value targets, SentinelOne said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

DeepMind Co-Founder Suleyman Departs For Investment Firm

DeepMind co-founder Mustafa Suleyman leaves parent company Google for Silicon Valley venture capital firm after…

6 hours ago

US Legislation To Boost Chip Funding Set For House

US House of Representatives set to introduce bill on tech funding and domestic chip manufacturing,…

7 hours ago

Intel Says Ohio Site Could Become World’s Biggest Chip Plant

Intel chooses Ohio site for manufacturing investment that could grow to $100bn over ten years,…

7 hours ago

Digital Bank Chime Financial Plans Massive IPO

Chime Financial plans New York IPO worth up to $40bn after Covid-19 pandemic leads to…

8 hours ago

Twitter Shake-Up Sees Departure Of Top Security Staff

Twitter says head of security no longer at company and chief information security officer to…

8 hours ago

Google Asks Judge To Dismiss Most Of Texas Antitrust Case

Google asks federal judge to dismiss most counts of antitrust case filed by Texas and…

9 hours ago