Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Midas Ransomware: Tracing the Evolution of Thanos Ransomware Variants

image
RAJDEEPSINH DODIA
March 23, 2022 - 12 min read

Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:

  • lower sunk costs by using RaaS builders to reduce development time
  • increase payouts with double extortion tactics by using their own data leak sites
  • extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware group

 

Advertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020. Written in C# language running on the .net framework, this serious offender reboots systems in safeboot mode to bypass antivirus detection and includes a builder that enables threat actors to create new variants by customizing samples. Source code of Thanos builder also leaked and there are lots of different variants that have been seen based on that. Here we discuss the four 2021 variants shown in Figure 1 below that used double extortion tactics.

 

Image

Figure 1:Timeline of Thanos derived ransomware variations

 

Beginning in February 2021, the Prometheus ransomware variant emerged as one of the new Thanos built variants of the year. It encrypts files and appends “.[{ID}],.PROM[prometheushelp@mail{.}ch] , {ID}[prometheusdec@yahoo{.}com] “ extension and drop “RESTORE_FILES_INFO.txt, RESTORE_FILES_INFO.hta” ransom note. The Prometheus group which operates the variant has claimed to be part of the notorious REvil ransomware group responsible for the Kaseya supply chain attack, however experts doubt the claim as a solid connection between the two has never been established.  This variant is known for using double extortion techniques to make organizations pay that include threatening to leak valuable data on their leak site. A quick check reveals that the leak site is currently down, but the threat still holds potential weight 

In July 2021, another  Thanos derived ransomware called Haron was discovered. It encrypts files and appends  “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note. Haron ransomware group also have their own data leak site used for double extortion. This variant has striking similarities with Avaddon ransomware based on examination of the ransom note and data leak site information. 

September 2021, the Thanos builder was used again to develop the Spook ransomware variant. It encrypts files and appends  “.{ID}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note. Similar to the other variants, Spook ransomware also uses double extortion techniques with their own data leak site as shown in the screenshot below. 

Rounding out the year in October 2021, another Thanos ransomware family emerged with the Midas variant that appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt” ransom note. In January 2022, ThreatLabz investigated a report of Midas ransomware being slowly deployed over a 2-month period and the attacker was observed using different powershell scripts, remote access tools and an open source windows utility. 

Like the others, Midas features its own data leak site for double extortion. Interestingly, the site contains leaked victim data from a Haron ransomware attack, suggesting to researchers that Midas is potentially linked to the Haron ransomware operators. 

 

Image

Figure 2: Count of companies with leaked data by 2021 Thanos ransomware variants.

 

 

Identifying Thanos as the Source for the  Prometheus, Haron, Spook, and Midas ransomware variants

Tracing the evolution of Thanos based ransomware variants back to the source provides threat researchers with an inside look at how ransomware gangs operate and evolve over time. To establish a connection between each variant, the ThreatLabz team looked for the use of common signatures and indicators that would point back to the Thanos ransomware builder. After determining that each variant was derived using the builder, the team set about analyzing the similarities and differences in the shifting techniques adversaries employ to make new variants of a common origin ransomware more effective. These observations help us to gain insights into the cooperation happening between adversary groups and better understand the development lifecycle and alternating impacts of ransomware through its variants.

The analysis that follows walks you through identifying Thanos variants through an examination of common signatures found in the ransom note key identifiers and the consistent use of a common file marker “GotAllDone”. Followed by an in-depth analysis of the latest Midas variant.

 

Identifying Thanos Variants

All four of the 2021 Thanos based ransomware variants contain a key identifier with common signatures for the Thanos builder found in the ransom notes as shown in Figure 3 below.

 

Image

Image

 

Figure 3: Screenshots of ransom notes showing the common signature ‘Key Identifier’ for 2021 Thanos ransomware variants: Prometheus, Haron, Spook and Midas. 

 

Another similarity is that after encryption they append base 64 encoded key after encrypting data of every file. Prometheus, Haron, Spook, and Midasall contain the same FileMarker that is “GotAllDone” appended at the end of each encrypted file. Below screenshot displays the FileMarker info and Base64 encoded key appended after the data encrypted by Midas ransomware.

Image

Figure 4: Screenshots of FileMarker and Base64 encoded key appended


Midas Ransomware

The Midas data leak site currently displays data from 29 victim companies including data from several victims previously seen on the Haron data leak site which is now inactive. 

Image

Figure 5: Screenshot of the Midas ransomware data leak site index page.

 

 

Image

Figure 6: Screenshot of victim companies listed on Midas ransomware data leak site.

 

Technical analysis

Midas ransomware is written in C# and obfuscated using smartassembly. Once executed this variant starts terminating processes using taskkill.exe. It terminates processes that inhibit encryption processes and processes related to security software, database related programs so it can encrypt more files. Below is a list of the common processes typically terminated by Thanos based ransomware.

 

Most commonly terminated processes:

 

RaccineSettings.exe

mspub.exe

CNTAoSMgr.exe

xfssvccon.exe

mydesktopqos.exe

sqlbrowser.exe

sqlwriter.exe

tbirdconfig.exe

visio.exe

sqlservr.exe

sqbcoreservice.exe

thebat64.exe

mysqld.exe

dbeng50.exe

Ntrtscan.exe

isqlplussvc.exe

synctime.exe

firefoxconfig.exe

winword.exe

ocomm.exe

agntsvc.exe

infopath.exe

ocautoupds.exe

mysqld-opt.exe

sqlagent.exe

powerpnt.exe

steam.exe

zoolz.exe

encsvc.exe

thebat.exe

tmlisten.exe

mbamtray.exe

PccNTMon.exe

mydesktopservice.exe

excel.exe

onenote.exe

msftesql.exe

wordpad.exe

ocssd.exe

mysqld-nt.exe

oracle.exe

dbsnmp.exe

outlook.exe

msaccess.exe

 

It also deletes the process, schedule task and registry related to the Raccine tool. It is a ransomware prevention tool that protects the system from ransomware processes to delete shadow copy.

Prometheus, Haron, Spook and Midas have been seen terminating Raccine related artifacts.

Image

Figure 7: Command used to terminate Vaccine process and other artifacts. 

 

The Midas variant is designed to stop service related to security products, database software, backups and  email exchanges.

List of most commonly disrupted services:

 

start Dnscache /ystop msexchangeimap4 /y

stop MSSQLServerADHelper /y

start FDResPub /ystop ARSM /y

stop McAfeeEngineService /y

start SSDPSRV /ystop MSSQL$BKUPEXEC /y

stop VeeamHvIntegrationSvc /y

start upnphost /ystop unistoresvc_1af40a /y

stop MSSQLServerADHelper100 /y

stop avpsus /ystop BackupExecAgentAccelerator /y

stop McAfeeFramework /y

stop McAfeeDLPAgentService /ystop MSSQL$ECWDB2 /y

stop VeeamMountSvc /y

stop mfewc /ystop audioendpointbuilder /y

stop MSSQLServerOLAPService /y

stop BMR Boot Service /ystop BackupExecAgentBrowser /y

stop McAfeeFrameworkMcAfeeFramework /y

stop NetBackup BMR MTFTP Service /ystop MSSQL$PRACTICEMGT /ystop VeeamNFSSvc /y
stop DefWatch /ystop BackupExecDeviceMediaService /ystop MySQL57 /y
stop ccEvtMgr /ystop MSSQL$PRACTTICEBGC /ystop McShield /y
stop ccSetMgr /ystop BackupExecJobEngine /y

stop VeeamRESTSvc /y

stop SavRoam /ystop MSSQL$PROD /ystop MySQL80 /y
stop RTVscan /ystop AcronisAgent /y

stop McTaskManager /y

stop QBFCService /ystop BackupExecManagementService /y

stop VeeamTransportSvc /y

stop QBIDPService /ystop MSSQL$PROFXENGAGEMENT /y

stop OracleClientCache80 /y

stop Intuit.QuickBooks.FCS /ystop Antivirus /ystop mfefire /y
stop QBCFMonitorService /ystop BackupExecRPCService /ystop wbengine /y
stop YooBackup /ystop MSSQL$SBSMONITORING /

stop ReportServer$SQL_2008 /y

stop YooIT /ystop MSSQL$SBSMONITORING /ystop mfemms /y
stop zhudongfangyu /ystop AVP /ystop wbengine /y
stop stc_raw_agent /ystop BackupExecVSSProvider /ystop RESvc /y
stop VSNAPVSS /ystop MSSQL$SHAREPOINT /ystop mfevtp /y
stop VeeamTransportSvc /ystop DCAgent /y

stop sms_site_sql_backup /y

stop VeeamDeploymentService /ystop bedbg /y

stop SQLAgent$BKUPEXEC /y

stop VeeamNFSSvc /ystop MSSQL$SQL_2008 /y

stop MSSQL$SOPHOS /y

stop veeam /ystop EhttpSrv /y

stop SQLAgent$CITRIX_METAFRAME /y

stop PDVFSService /ystop MMS /ystop sacsvr /y
stop BackupExecVSSProvider /ystop MSSQL$SQLEXPRESS /y

stop SQLAgent$CXDB /y

stop BackupExecAgentAccelerator /ystop ekrn /y

stop SAVAdminService /y

stop BackupExecAgentBrowser /ystop mozyprobackup /y

stop SQLAgent$ECWDB2 /y

stop BackupExecDiveciMediaService /ystop MSSQL$SYSTEM_BGC /ystop SAVService /y
stop BackupExecJobEngine /ystop EPSecurityService /y

stop SQLAgent$PRACTTICEBGC /y

stop BackupExecManagementService /ystop MSSQL$VEEAMSQL2008R2 /y

stop SepMasterService /y

stop BackupExecRPCService /ystop MSSQL$TPS /y

stop SQLAgent$PRACTTICEMGT /y

stop AcrSch2Svc /ystop EPUpdateService /ystop ShMonitor /y
stop AcronisAgent /ystop ntrtscan /y

stop SQLAgent$PROD /y

stop CASAD2DWebSvc /ystop MSSQL$TPSAMA /ystop Smcinst /y
stop CAARCUpdateSvc /ystop EsgShKernel /y

stop SQLAgent$PROFXENGAGEMENT /y

stop sophos /ystop PDVFSService /ystop SmcService /y
stop MsDtsServer /ystop MSSQL$VEEAMSQL2008R2 /y

stop SQLAgent$SBSMONITORING /y

stop IISAdmin /ystop ESHASRV /ystop SntpService /y
stop MSExchangeES /ystop SDRSVC /y

stop SQLAgent$SHAREPOINT /y

stop EraserSvc11710 /ystop MSSQL$VEEAMSQL2012 /ystop sophossps /y
stop MsDtsServer100 /ystop FA_Scheduler /y

stop SQLAgent$SQL_2008 /y

stop NetMsmqActivator /ystop SQLAgent$VEEAMSQL2008R2 /y

stop SQLAgent$SOPHOS /y

stop MSExchangeIS /ystop MSSQLFDLauncher$PROFXENGAGEMENT /y

stop SQLAgent$SQLEXPRESS /y

stop SamSs /ystop KAVFS /ystop svcGenericHost /y
stop ReportServer /ystop SQLWriter /y

stop SQLAgent$SYSTEM_BGC /y

stop MsDtsServer110 /ystop MSSQLFDLauncher$SBSMONITORING /ystop swi_filter /y
stop POP3Svc /ystop KAVFSGT /ystop SQLAgent$TPS /y
stop MSExchangeMGMT /ystop VeeamBackupSvc /ystop swi_service /y
stop SMTPSvc /ystop MSSQLFDLauncher$SHAREPOINT /y

stop SQLAgent$TPSAMA /y

stop ReportServer$SQL_2008 /ystop kavfsslp /ystop swi_update /y
stop msftesql$PROD /ystop VeeamBrokerSvc /y

stop SQLAgent$VEEAMSQL2008R2 /y

stop SstpSvc /ystop MSSQLFDLauncher$SQL_2008 /ystop swi_update_64 /y
stop MSExchangeMTA /ystop klnagent /y

stop SQLAgent$VEEAMSQL2012 /y

stop ReportServer$SYSTEM_BGC /ystop VeeamCatalogSvc /ystop TmCCSF /y
stop MSOLAP$SQL_2008 /ystop MSSQLFDLauncher$SYSTEM_BGC /ystop SQLBrowser /y
stop UI0Detect /ystop macmnsvc /ystop tmlisten /y
stop MSExchangeSA /ystop VeeamCloudSvc /y

stop SQLSafeOLRService /y

stop ReportServer$TPS /ystop MSSQLFDLauncher$TPS /ystop TrueKey /y
stop MSOLAP$SYSTEM_BGC /ystop masvc /y

stop SQLSERVERAGENT /y

stop W3Svc /ystop VeeamDeploymentService /y

stop TrueKeyScheduler /y

stop MSExchangeSRS /ystop MSSQLFDLauncher$TPSAMA /y

stop SQLTELEMETRY /y

stop ReportServer$TPSAMA /ystop MBAMService /y

stop TrueKeyServiceHelper /y

stop MSOLAP$TPS /ystop VeeamDeploySvc /y

stop SQLTELEMETRY$ECWDB2 /y

stop msexchangeadtopology /ystop MSSQLSERVER /ystop WRSVC /y
stop AcrSch2Svc /ystop MBEndpointAgent /y

stop mssql$vim_sqlexp /y

stop MSOLAP$TPSAMA /ystop VeeamEnterpriseManagerSvc /ystop vapiendpoint /y

 

Another technique used by most variants of Thanos based ransomware is to evade detection by  finding and terminating processes for analysis tools by searching the list of keywords shown below:

 

http analyzer stand-aloneNetworkTrafficViewCFF Explorer
fiddlerHTTPNetworkSnifferprotection_id
effetech http sniffertcpdumppe-sieve
firesheepintercepterMegaDumper
IEWatch ProfessionalIntercepter-NGUnConfuserEx
dumpcapollydbgUniversal_Fixer
wiresharkdnspy-x86NoFuserEx
wireshark portabledotpeekcheatengine
sysinternals tcpviewdotpeek64 
NetworkMinerRDG Packer Detector 

 

Further, it changes the configuration of specific services as shown below.

Image

Figure 8: Screenshot of service configuration changes.

It deletes shadow copy using powershell command so the system is unable to recover data.

Command : "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }


File Encryption

Midas ransomware searches through each drive and directory and encrypts the files. It creates a random key and encrypts a file using Salsa20 algorithm. Then the Salsa20 key is encrypted by the RSA public key as shown in the screenshot below. The encryption key is encoded in base64 and appended to each impacted file. It also added FileMarker “GotAllDone” at the end of each encrypted file. The encrypted key is also saved in the Registry under “HKEY_CURRENT_USER\SOFTWARE\KEYID\myKeyID”. After encryption, it drops the “reload1.lnk” file to open a ransom note at every restart.

Path: "C:\\Users\\{Username}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\reload1.lnk".

Image

Figure 9: Screenshot of encrypting Salsa20 key with RSA public key.

 

It encrypts the file contained below extensions:Image

 

After encryption it appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt” ransom note. Below is the screenshot of the ransom note. RESTORE_FILES_INFO.hta doesn’t contain Key ID but RESTORE_FILES_INFO.txt contains key ID.

Image

Figure 10: Ransom note of Midas

 

Cloud Sandbox Detection

Image

Figure 11: Zscaler Cloud Sandbox detection of Midas ransomware

 

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.

Win32.Ransom.Thanos

https://threatlibrary.zscaler.com/?threatname=win32.ransom.thanos

Win32.Ransom.Prometheus

https://threatlibrary.zscaler.com/?threatname=win32.ransom.prometheus

Win32.Ransom.Spook

https://threatlibrary.zscaler.com/?threatname=win32.ransom.spook

Win32.Ransom.Haron

https://threatlibrary.zscaler.com/?threatname=win32.ransom.haron

Win32.Ransom.Midas

https://threatlibrary.zscaler.com/?threatname=win32.ransom.midas

 

MITRE ATT&CK Technique

 

 

ID

Technique

T1059

Command and Scripting Interpreter

T1569.002

Service Execution

T1112                                                 

Modify Registry

T1562.001                                                 

Disable or Modify Tools

T1010

Application Window Discovery

T1057 

Process Discovery

T1518.001                                                 

Security Software Discovery

T1083

File and Directory Discovery

T1490

Inhibit System Recovery

T1489                                                 

Service Stop

T1486 

Data Encrypted for Impact

 

 

IOC

MD5:3767a7d073f5d2729158578a7006e4c4

 

About ThreatLabz
ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.

Further Reading: Zscaler Ransomware Protection

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.