Focus on ransomware that thwarts security measures

It is a computer program that was discovered at the beginning of this year precisely during the month of January.

He calls himself Thanos, in homage to the supervillain of Marvel movies. According to the authorities responsible for combating cyber malice, it was developed by a group of cyber criminals named Nosophoros. Its particularity lies in the fact that it is able to circumvent the security measures installed in a network or computer system, which can go so far as to disable this protection. A very rare ability based on the use of a RIPlace technique. Added to the fact that Thanos is a ransom program, the damage it can cause is pretty impressive.From the common core of the Thanos ransomware, it was developed by cyber criminals the Crypto and Program classes.

This article will also interest you: Tycoon, the new ransomware that threatens Windows and Linux

With such a pawn in the game, cybercrime has become like a game of chat and mouse between those responsible for security information systems and malicious hackers. And unfortunately for security officials, the mouse is very difficult to intercept or even neutralize.

It should also be noted that the discovery in January 2020 of this ransomware was made by Inskit Group, a conglomerate working in cyber defence, and brought it to the world's attention in a report describing how this malware works. According to Inskit Group, the cybercriminals behind this malware put it up for sale on the dark web, in the form of a customizable version, up to 43 configurations available. In ways to adapt its use to the needs of cyber criminals who would be tempted by this program. The most impressive thing about all this is that the hackers of the Nosophoros group are not only selling the computer program, but will also professionalize their illicit trade by offering an after-sales service, access to a particular distribution model, often followed by an update offer to bring more functionality to the malware. "The Thanos customer is simple in its overall structure and functionality. It's written in C- and is easy to understand despite its offal, [consistant à rendre un exécutable ou un code source illisible et difficile à comprendre par un être humain ou un dé compilateur, NDLR]and although it incorporates more advanced features such as the RIPlace technique," notes Inskit Group.

It should also be noted that Thanos integrates in its trunk, nearly 12 years to 17 classes like Program, Crypto, NetworkSpreading, Wake on LAN, allowed so many others, and vary according to customer demand.

As we have described a little earlier, thanks to the RIPlace technique that is embedded in this ransomware, it is allowed to bypass the security systems put in place to protect systems and even networks. Whether it's firewalls like antivirus solutions, this program can disable them to continue what it's been running for. "With best security practices such as banning external FTP connections and blacklisting known offensive security tools, the risks associated with Thanos' two key components – Data Stealer and Lateral Movement (via SharpExec) – can be avoided," says Inskit Group.

Computer security specialists Kaspersky Carbon Black said they are each working on a way to fix the RIPlace security flaw. "The Thanos client uses AES-256 in CBC mode to encrypt user files. The key used for AES encryption is derived from a password and a salt that is made through the Windows function call rfc2898DeriveBytes. Once the Thanos client has used this key to encrypt all the files they discover, they use a built-in RSA 2048 public key to encrypt the AES password used. The base64 chain of this encrypted password is added to the ransom note, asking the victim to send the encrypted password chain to the threat actors to decipher their files. The private key associated with the public key used to encrypt the password is required to decrypt the AES password. Only the operator who created the Thanos customer must have access to the private key," Inskit Group said.

Moreover, if today the RIPlace technique has become a vulnerability for the computer defense system, it is because from the beginning it has been neglected by defense solutions vendors and other software providers. Indeed, at the end of 2019, Nyotron was the subject of a POC. Some vendors such as Microsoft had been notified. But they did not consider it a vulnerability at the time, with the exception of Carbon Black and Kaspersky, which did not hesitate to upgrade their security solutions. And as early as 2020, cyber criminals rushed to the darkweb to take advantage of the opportunity.

Now access an unlimited number of passwords: