Ransomware-as-a-service hits two estate-run organizations

September 12, 2020
thanos ransomware dark web south africa middle east ransomware as a service malware antimalware trojan

Prominent government organizations in the Middle East and North Africa have been victimized by new ransomware that has been infamous this year due to a series of attacks that have been rooted as it caused. Debuted in January, the Thanos ransomware became on the watchlist of many cybersecurity experts when it was put on sale over the dark web in February as a ransomware-as-a-service program.

With Thanos coding ingenuity and customizable feature, it has been used with numerous ransomware attacks targeting different businesses, governments, and financial institutions. To date, there are an estimated 130 variants of Thanos that has been spotted by cyber authorities from various reports gathered from publicized to non-publicized attack.

The July attacks placed the Thanos ransomware on the pedestal after its successful attack against the Middle East and North Africa. According to the report, the variant that has been used was more intelligent and more vicious than before. The ransomware not only does its usual encrypting contents on the infected system and the capability to infect other devices connected on the network but worst of all, it was able to infect the vital program of many systems, which is the Master Boot Record (MBR). The MBR, known as the program that tells computers the process to startup, is considered to be a very vital component on every device. Given this capability, this will be catastrophic to any fallen victim. Fortunately, a lapse on the coding becomes its sinkhole as this does not entirely overwrite the whole program. Else, it just shows the same ransom message upon bootup.

An in-depth investigation linked the attack in the Middle East and North Africa on the same perpetrator. Evidence shows that the ransom message was the same, asking for $20,000 blood money and the same bitcoin ID. In tracing the infection, researchers were able to see that the propagation of the ransomware to other devices on the network has resulted from the previous intrusion. This means that the perpetrators are already lurking on the victim’s system and have access to elevated credentials, which gave them ease of execution of their purpose before Thanos has been delivered to it. Unfortunately, there was no definite information about the process the ransomware was delivered to the victim system. The report only concluded that the Thanos ransomware was stored on the system memory, where it self-extracted and self-installed.

If this destructive ransomware becomes complete, this will be a dreadful threat to many entities. With its capability of overwriting the MBR of many devices, this can completely wipe the whole system, thus will do immense damage to the victim. Luckily, countermeasures have already been developed, such as Wildfire and Cortex XDR, to be able to scan the system infected and block other components of Thanos to complete its attack. This way, security administrators can mitigate plans and stop them from their destructive effects on the company.

About the author

Leave a Reply