During our regular threat hunting operations, the Cyble Research team found a blog on the darkweb, hosted by the Prometheus ransomware group. This blog is a clear indication of the fact that the group is back in action these days.
In the blog, the group has affiliated itself with the REvil ransomware group, as shown in Figure 1.
Figure 1: Prometheus Blog
Based on our research, Cyble researchers have found a sample of the Thanos ransomware being used by the Prometheus group for a recent ransomware attack. The technical analysis we have performed on the file has been shared below:
The Thanos ransomware is a 32-bit .NET executable file that is highly obfuscated. On decompiling it, we saw that the file has non-readable codes that made it difficult to reverse the file. We used a de-obfuscation tool to read the contents of the file, but complete code was not de-obfuscated. While decompiling, we also found a data object that contained a list of base64 encoded strings and several other plain strings. These strings helped us check the possible activities performed by the ransomware.
Figure 2 shows the list of base64 encoded strings.
Figure 2: Base64 Encoded Strings
Apart from the base64 encoded strings, the modified Thanos ransomware sample contained additional interesting strings related to document file extensions, link file name for persistence, system information, and extensions of various database files. On running the program, we found that only document files and database file extensions are being encrypted by the ransomware. Figure 3 shows the additional types and extracted information for selecting filetypes for encryption.
Figure 3: Strings Used for Selecting File Types.
After finding the base64 encoded strings we de-obfuscated them and observed that the strings were enumerated by the ransomware at the runtime to check the running processes, as shown in figure 4.
Figure 4: Processes Enumerated by the Ransomware
Our observations also indicated that the ransomware started and stopped various services and programs after enumerating the processes. The services started are described in following table:
|Dnscache||Used for client-side DNS resolution for faster DNS query.|
|FDRsePub||Makes computer and resources visible in the network.|
|SSDPSRV||Discovers networked devices.|
|upnphost||Discovering universal plug and play devices.|
Table: Services Started by the Ransomware
The services started and stopped by the Prometheus ransomware are shown in Figure 5. The first 4 services are started by the ransomware, while the remaining are stopped.
Figure 5: Services Started and Stopped by the Ransomware.
The ransomware stops several services that are critical for various purposes. This includes antivirus, system backup and restoring, database backup and restoring, and reporting tools. The purpose behind stopping the services is to block the backup and restoring operations, which has the potential to facilitate the data recovery in future. Figure 6 shows additional services which are terminated.
Figure 6: Additional Services Stopped
In addition to starting and stopping services, the Thanos ransomware also uses SC (Service Control) command to permanently change service configuration. Figure 7 shows the parameters passed to SC to permanently change shared network and device services.
Figure 7: SC Changing configuration.
The ransomware also terminates multiple processes running in the system for faster operation using taskkill.exe. As these programs are resource intensive and can lock the flies targeted by the ransomware. Some of these programs are excel.exe, steam.exe, sqlwriter.exe, thunderbird .exe, and msaccess.exe etc. The list of targeted programs is listed in Figure 8.
Figure 8: Processes Terminated by taskkill.exe.
This variant of the Thanos ransomware checks for various security tools used by malware researchers for reversing the malware. These tools are listed below.
Figure 9: List of Security Tools
The Thanos ransomware uses an interesting technique for obfuscation. At runtime, it loads the reversed base64 encoded string containing the registry information, as shown in Figure 10.
Figure 10: Obfuscation Used by the Ransomware
For network operations, the ransomware changes the Firewall rules to open various ports and allows outbound connection from other systems.
Figure 11 shows the registry entries for allowing inbound connections on various ports.
Figure 11: Firewall Entries Edited.
The ransomware starts encryption after stopping all the backup and restoring services, disabling security software, and changing the network state. The modified sample of the Thanos ransomware uses the AES encryption technique, and after encrypting files, it appends a custom extension that is unique for every malware file, unlike most other ransomware that typically append extensions based on the system. Figure 12 shows the encrypted files with the extension.
Figure 12: Encrypted Files
While encrypting the files, the ransomware drops the ransom file containing the ransom note in hta and text format. Figures 13 and 14 show the dropped files and the ransom note.
Figure 13: Dropping Ransom Note
Figure 14: Ransomware Note
It is evident that more ransomware groups will emerge in the near future. Most of the time these groups use existing ransomware with slight modifications for evading detections. We recommend these best practices for ensuring the security of sensitive data in order to mitigate losses from ransomware attacks.
Indicators of Compromise (IoC):
Here’s the list of sha256 of the files related to the recent Thanos ransomware attacks:
Organizations should implement the following best practices to strengthen the security posture of their organization’s systems.
- Check for instances of standard executables executing with the hash of another process.
- Implement multi-factor authentication (MFA), especially for privileged accounts.
- Use separate administrative accounts on different administration workstations.
- Employ Local Administrator Password Solution (LAPS).
- Allow the least privilege to employees on data access.
- Use MFA to secure Remote Desktop Protocol (RDP) and ”jump boxes” for access.
- Secure your endpoints by deploying and maintaining endpoint defense tools.
- Always keep all software up-to-date.
- Keep antivirus signatures and engines up-to-date.
- Avoid adding users to the local administrators’ group unless required.
- Implement a strong password policy and enforce regular password changes.
- Configure a personal firewall on organization workstations to deny unwanted connection requests.
- Deactivate unnecessary services on organization workstations and servers.
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.