Categories: SecurityWorkspace

Thanos Ransomware Adds New Features

A ransomware tool launched late last year has emerged as one of the most complex and adaptable malware-as-a-service variants on the scene, researchers have warned.

The Thanos ransomware, named after a Marvel supervillain, launched in November 2019 and has continued to evolve rapidly, with the addition of specialised tools and features.

Two of the most notable recent additions include RIPlace, a method for evading antivirus software, and a bootlocker that prevents infected systems from loading, said security firm SentinelOne.

“This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root,” SentinelOne researcher Jim Walter wrote in an advisory.

Custom malware

Thanos allows attackers to generate customised payloads with widely varied features and options, Walter said, adding that it is currently the only widely recognised threat making use of RIPlace.

The tool’s developers began releasing updates in January and the most recent iteration appeared only last month, Walter said.

The malware also goes to unusual lengths to evade security protections.

The most recent update includes a certain amount of code rebuilding in order to evade signature-based security scanners, Walter said.

“The actors behind Thanos are very aware of their ‘clients’ needs and the attention they are getting from the security industry,” he wrote.


As a result organisations should not rely solely on signature-based tools to protect them from such threats, Walter said.

Thanos has spread primarily via phishing emails, with more recent lures using financial-based hooks such as tax refund details, invoice schemes or economic stimulus package updates.

“Thanos is cementing its position as a primary tool for low-to-mid level criminals looking for an effective, easy-to-use malware tool that will both yield results and allow them to customise for their own specific target groups,” Walter wrote.

On the high end, SentinelOne also profiled the methods of a hacking group that used a Trickbot infection as the starting point to conduct a thorough scan of an organisation’s network before launching a Ryuk ransomware infection.

The breach indicates the lengths attackers are willing to go to in an effort to obtain ransoms that can run into the millions of pounds for high-value targets, SentinelOne said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Uber, Lyft Drivers Classified As Employees, Judge Rules

Gig economy change. Judge in California rules drivers for Uber and Lyft are employees, and…

12 hours ago

Tim Cook Now A Billionaire After Apple Share Surge

Welcome to the club. CEO Tim Cook now said to be a billionaire after almost…

14 hours ago

Police Use Of Facial Recognition Breached Privacy, Court Rules

Milestone ruling. The UK Court of Appeal rules use of automatic facial recognition (AFR) tech…

15 hours ago

Trump Administration Announces 5G Spectrum Auction

5G growth. The White House has announced a spectrum auction to strengthen “the United States’…

17 hours ago

Toshiba Confirms Exit From Laptop Sector

Japanese conglomerate sells its final stake in PC maker Dynabook, marking the end of 35…

18 hours ago

Researchers Uncover Stuxnet-Style Flaw In Windows

The zero-day vulnerability affects the same Windows component used by Stuxnet to attack critical infrastructure…

2 days ago