Security News > 2020 > June > Thanos Ransomware First to Weaponize RIPlace Tactic

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic.

The Thanos ransomware builder gives operators the ability to create the ransomware clients with various different options that can be used in attacks.

One of the company-tier features is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The PoC showed how ransomware can replace a victim's files with encrypted data, by writing the encrypted data from memory to a new file, and then using the "Rename" call to replace the original file.

Based on code similarity, string reuse, the ransomware extension and the format of the ransom notes, researchers say they assess "With high confidence" that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros.

Thanos is under active development by its operators: Researchers have observed the ransomware receiving positive feedback from cybercriminals on underground forums, with claims that the tool "Works flawlessly" and requests to "Keep the updates coming." That said, to date, Recorded Future researchers have not yet explicitly observed Thanos being used as part of an actual attack against a company, Kaye told Threatpost.

News URL

https://threatpost.com/thanos-ransomware-weaponize-riplace-tactic/156438/