Thanos Operator Targets Police Department in United Arab Emirates
Overview
The SonicWall Capture Labs threat research team has come across a variant of Thanos ransomware targeted at a police department in the United Arab Emirates (UAE). Thanos ransomware is a customizable and highly adaptable ransomware-as-a-service (RaaS) tool that allows cybercriminals to create and deploy ransomware tailored to their needs. It is known for its data-stealing capabilities, the ability to spread through networks and the use of advanced evasion techniques to avoid detection.
Infection Cycle
Upon infection, the following notification appears on the desktop.
Figure 1: Notification
Files on the system are encrypted. Each encrypted file has the text “.crypted” appended to its name
A ransom note asking for $20,000 in Bitcoin is displayed on the desktop:
Figure 2: Ransom message
A file named HOW_TO_DECYPHER_FILES.txt is dropped into all directories containing encrypted files. It contains the following message:
Figure 3: Ransom message text file
If the system is rebooted, the following message is displayed during the login process:
Figure 4: Ransom message after reboot
The malware is written in .NET and is obfuscated. However, after disassembly, this obfuscation is easily thwarted as it only uses base64 to encode all of its strings. Using the following simple script, we were able to decode all base64 encoded strings and reveal the malware’s functionality:
Figure 5: Simple deobfuscation script
Figure 6: Deobfuscated code
The Thanos signature can be seen in the deobfuscated code:
Figure 7: Thanos marker
The “.crypted” file extension and a list of filetypes targeted for encryption is visible:
Figure 8: Targeted file types
The Windows Task Manager and various other backup and recovery services are disabled:
Figure 9: Disabling task manager
Figure 10: Disabling system recovery
The following base64 encoded text decodes to https://www.poweradmin.com/paexec/paexec.exe. Power Admin is downloaded and executed on the system for remote administration:
Figure 11: Power Admin download
ProcessHide is also downloaded and is used to hide Power Admin from process monitoring applications such as Windows Task Manager:
Figure 12: ProcessHide download
The malware scans the internal network for online machines. The username and password that was used leads us to believe that this variant of the malware is targeted toward the Sharjah Police Force in the UAE:
Figure 13: Network scanning
If those credentials do not work, there is a bigger list of usernames and passwords to try:
Figure 14: Additional credentials to try
We tried to reach out to the operator via email, but the email bounced.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Thanos.RSM_2(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.