Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:
- lower sunk costs by using RaaS builders to reduce development time
- increase payouts with double extortion tactics by using their own data leak sites
- extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware group
Advertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020. Written in C# language running on the .net framework, this serious offender reboots systems in safeboot mode to bypass antivirus detection and includes a builder that enables threat actors to create new variants by customizing samples. Source code of Thanos builder also leaked and there are lots of different variants that have been seen based on that. Here we discuss the four 2021 variants shown in Figure 1 below that used double extortion tactics.
Figure 1:Timeline of Thanos derived ransomware variations
Beginning in February 2021, the Prometheus ransomware variant emerged as one of the new Thanos built variants of the year. It encrypts files and appends “.[{ID}],.PROM[prometheushelp@mail{.}ch] , {ID}[prometheusdec@yahoo{.}com] “ extension and drop “RESTORE_FILES_INFO.txt, RESTORE_FILES_INFO.hta” ransom note. The Prometheus group which operates the variant has claimed to be part of the notorious REvil ransomware group responsible for the Kaseya supply chain attack, however experts doubt the claim as a solid connection between the two has never been established. This variant is known for using double extortion techniques to make organizations pay that include threatening to leak valuable data on their leak site. A quick check reveals that the leak site is currently down, but the threat still holds potential weight
In July 2021, another Thanos derived ransomware called Haron was discovered. It encrypts files and appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note. Haron ransomware group also have their own data leak site used for double extortion. This variant has striking similarities with Avaddon ransomware based on examination of the ransom note and data leak site information.
September 2021, the Thanos builder was used again to develop the Spook ransomware variant. It encrypts files and appends “.{ID}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note. Similar to the other variants, Spook ransomware also uses double extortion techniques with their own data leak site as shown in the screenshot below.
Rounding out the year in October 2021, another Thanos ransomware family emerged with the Midas variant that appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt” ransom note. In January 2022, ThreatLabz investigated a report of Midas ransomware being slowly deployed over a 2-month period and the attacker was observed using different powershell scripts, remote access tools and an open source windows utility.
Like the others, Midas features its own data leak site for double extortion. Interestingly, the site contains leaked victim data from a Haron ransomware attack, suggesting to researchers that Midas is potentially linked to the Haron ransomware operators.
Figure 2: Count of companies with leaked data by 2021 Thanos ransomware variants.
Identifying Thanos as the Source for the Prometheus, Haron, Spook, and Midas ransomware variants
Tracing the evolution of Thanos based ransomware variants back to the source provides threat researchers with an inside look at how ransomware gangs operate and evolve over time. To establish a connection between each variant, the ThreatLabz team looked for the use of common signatures and indicators that would point back to the Thanos ransomware builder. After determining that each variant was derived using the builder, the team set about analyzing the similarities and differences in the shifting techniques adversaries employ to make new variants of a common origin ransomware more effective. These observations help us to gain insights into the cooperation happening between adversary groups and better understand the development lifecycle and alternating impacts of ransomware through its variants.
The analysis that follows walks you through identifying Thanos variants through an examination of common signatures found in the ransom note key identifiers and the consistent use of a common file marker “GotAllDone”. Followed by an in-depth analysis of the latest Midas variant.
Identifying Thanos Variants
All four of the 2021 Thanos based ransomware variants contain a key identifier with common signatures for the Thanos builder found in the ransom notes as shown in Figure 3 below.
Figure 3: Screenshots of ransom notes showing the common signature ‘Key Identifier’ for 2021 Thanos ransomware variants: Prometheus, Haron, Spook and Midas.
Another similarity is that after encryption they append base 64 encoded key after encrypting data of every file. Prometheus, Haron, Spook, and Midasall contain the same FileMarker that is “GotAllDone” appended at the end of each encrypted file. Below screenshot displays the FileMarker info and Base64 encoded key appended after the data encrypted by Midas ransomware.
Figure 4: Screenshots of FileMarker and Base64 encoded key appended
Midas Ransomware
The Midas data leak site currently displays data from 29 victim companies including data from several victims previously seen on the Haron data leak site which is now inactive.
Figure 5: Screenshot of the Midas ransomware data leak site index page.
Figure 6: Screenshot of victim companies listed on Midas ransomware data leak site.
Technical analysis
Midas ransomware is written in C# and obfuscated using smartassembly. Once executed this variant starts terminating processes using taskkill.exe. It terminates processes that inhibit encryption processes and processes related to security software, database related programs so it can encrypt more files. Below is a list of the common processes typically terminated by Thanos based ransomware.
Most commonly terminated processes:
RaccineSettings.exe mspub.exe CNTAoSMgr.exe xfssvccon.exe mydesktopqos.exe sqlbrowser.exe sqlwriter.exe tbirdconfig.exe visio.exe sqlservr.exe sqbcoreservice.exe thebat64.exe mysqld.exe dbeng50.exe Ntrtscan.exe |
isqlplussvc.exe synctime.exe firefoxconfig.exe winword.exe ocomm.exe agntsvc.exe infopath.exe ocautoupds.exe mysqld-opt.exe sqlagent.exe powerpnt.exe steam.exe zoolz.exe encsvc.exe thebat.exe |
tmlisten.exe mbamtray.exe PccNTMon.exe mydesktopservice.exe excel.exe onenote.exe msftesql.exe wordpad.exe ocssd.exe mysqld-nt.exe oracle.exe dbsnmp.exe outlook.exe msaccess.exe |
It also deletes the process, schedule task and registry related to the Raccine tool. It is a ransomware prevention tool that protects the system from ransomware processes to delete shadow copy.
Prometheus, Haron, Spook and Midas have been seen terminating Raccine related artifacts.
Figure 7: Command used to terminate Vaccine process and other artifacts.
The Midas variant is designed to stop service related to security products, database software, backups and email exchanges.
List of most commonly disrupted services:
start Dnscache /y | stop msexchangeimap4 /y |
stop MSSQLServerADHelper /y |
start FDResPub /y | stop ARSM /y |
stop McAfeeEngineService /y |
start SSDPSRV /y | stop MSSQL$BKUPEXEC /y |
stop VeeamHvIntegrationSvc /y |
start upnphost /y | stop unistoresvc_1af40a /y |
stop MSSQLServerADHelper100 /y |
stop avpsus /y | stop BackupExecAgentAccelerator /y |
stop McAfeeFramework /y |
stop McAfeeDLPAgentService /y | stop MSSQL$ECWDB2 /y |
stop VeeamMountSvc /y |
stop mfewc /y | stop audioendpointbuilder /y |
stop MSSQLServerOLAPService /y |
stop BMR Boot Service /y | stop BackupExecAgentBrowser /y |
stop McAfeeFrameworkMcAfeeFramework /y |
stop NetBackup BMR MTFTP Service /y | stop MSSQL$PRACTICEMGT /y | stop VeeamNFSSvc /y |
stop DefWatch /y | stop BackupExecDeviceMediaService /y | stop MySQL57 /y |
stop ccEvtMgr /y | stop MSSQL$PRACTTICEBGC /y | stop McShield /y |
stop ccSetMgr /y | stop BackupExecJobEngine /y |
stop VeeamRESTSvc /y |
stop SavRoam /y | stop MSSQL$PROD /y | stop MySQL80 /y |
stop RTVscan /y | stop AcronisAgent /y |
stop McTaskManager /y |
stop QBFCService /y | stop BackupExecManagementService /y |
stop VeeamTransportSvc /y |
stop QBIDPService /y | stop MSSQL$PROFXENGAGEMENT /y |
stop OracleClientCache80 /y |
stop Intuit.QuickBooks.FCS /y | stop Antivirus /y | stop mfefire /y |
stop QBCFMonitorService /y | stop BackupExecRPCService /y | stop wbengine /y |
stop YooBackup /y | stop MSSQL$SBSMONITORING / |
stop ReportServer$SQL_2008 /y |
stop YooIT /y | stop MSSQL$SBSMONITORING /y | stop mfemms /y |
stop zhudongfangyu /y | stop AVP /y | stop wbengine /y |
stop stc_raw_agent /y | stop BackupExecVSSProvider /y | stop RESvc /y |
stop VSNAPVSS /y | stop MSSQL$SHAREPOINT /y | stop mfevtp /y |
stop VeeamTransportSvc /y | stop DCAgent /y |
stop sms_site_sql_backup /y |
stop VeeamDeploymentService /y | stop bedbg /y |
stop SQLAgent$BKUPEXEC /y |
stop VeeamNFSSvc /y | stop MSSQL$SQL_2008 /y |
stop MSSQL$SOPHOS /y |
stop veeam /y | stop EhttpSrv /y |
stop SQLAgent$CITRIX_METAFRAME /y |
stop PDVFSService /y | stop MMS /y | stop sacsvr /y |
stop BackupExecVSSProvider /y | stop MSSQL$SQLEXPRESS /y |
stop SQLAgent$CXDB /y |
stop BackupExecAgentAccelerator /y | stop ekrn /y |
stop SAVAdminService /y |
stop BackupExecAgentBrowser /y | stop mozyprobackup /y |
stop SQLAgent$ECWDB2 /y |
stop BackupExecDiveciMediaService /y | stop MSSQL$SYSTEM_BGC /y | stop SAVService /y |
stop BackupExecJobEngine /y | stop EPSecurityService /y |
stop SQLAgent$PRACTTICEBGC /y |
stop BackupExecManagementService /y | stop MSSQL$VEEAMSQL2008R2 /y |
stop SepMasterService /y |
stop BackupExecRPCService /y | stop MSSQL$TPS /y |
stop SQLAgent$PRACTTICEMGT /y |
stop AcrSch2Svc /y | stop EPUpdateService /y | stop ShMonitor /y |
stop AcronisAgent /y | stop ntrtscan /y |
stop SQLAgent$PROD /y |
stop CASAD2DWebSvc /y | stop MSSQL$TPSAMA /y | stop Smcinst /y |
stop CAARCUpdateSvc /y | stop EsgShKernel /y |
stop SQLAgent$PROFXENGAGEMENT /y |
stop sophos /y | stop PDVFSService /y | stop SmcService /y |
stop MsDtsServer /y | stop MSSQL$VEEAMSQL2008R2 /y |
stop SQLAgent$SBSMONITORING /y |
stop IISAdmin /y | stop ESHASRV /y | stop SntpService /y |
stop MSExchangeES /y | stop SDRSVC /y |
stop SQLAgent$SHAREPOINT /y |
stop EraserSvc11710 /y | stop MSSQL$VEEAMSQL2012 /y | stop sophossps /y |
stop MsDtsServer100 /y | stop FA_Scheduler /y |
stop SQLAgent$SQL_2008 /y |
stop NetMsmqActivator /y | stop SQLAgent$VEEAMSQL2008R2 /y |
stop SQLAgent$SOPHOS /y |
stop MSExchangeIS /y | stop MSSQLFDLauncher$PROFXENGAGEMENT /y |
stop SQLAgent$SQLEXPRESS /y |
stop SamSs /y | stop KAVFS /y | stop svcGenericHost /y |
stop ReportServer /y | stop SQLWriter /y |
stop SQLAgent$SYSTEM_BGC /y |
stop MsDtsServer110 /y | stop MSSQLFDLauncher$SBSMONITORING /y | stop swi_filter /y |
stop POP3Svc /y | stop KAVFSGT /y | stop SQLAgent$TPS /y |
stop MSExchangeMGMT /y | stop VeeamBackupSvc /y | stop swi_service /y |
stop SMTPSvc /y | stop MSSQLFDLauncher$SHAREPOINT /y |
stop SQLAgent$TPSAMA /y |
stop ReportServer$SQL_2008 /y | stop kavfsslp /y | stop swi_update /y |
stop msftesql$PROD /y | stop VeeamBrokerSvc /y |
stop SQLAgent$VEEAMSQL2008R2 /y |
stop SstpSvc /y | stop MSSQLFDLauncher$SQL_2008 /y | stop swi_update_64 /y |
stop MSExchangeMTA /y | stop klnagent /y |
stop SQLAgent$VEEAMSQL2012 /y |
stop ReportServer$SYSTEM_BGC /y | stop VeeamCatalogSvc /y | stop TmCCSF /y |
stop MSOLAP$SQL_2008 /y | stop MSSQLFDLauncher$SYSTEM_BGC /y | stop SQLBrowser /y |
stop UI0Detect /y | stop macmnsvc /y | stop tmlisten /y |
stop MSExchangeSA /y | stop VeeamCloudSvc /y |
stop SQLSafeOLRService /y |
stop ReportServer$TPS /y | stop MSSQLFDLauncher$TPS /y | stop TrueKey /y |
stop MSOLAP$SYSTEM_BGC /y | stop masvc /y |
stop SQLSERVERAGENT /y |
stop W3Svc /y | stop VeeamDeploymentService /y |
stop TrueKeyScheduler /y |
stop MSExchangeSRS /y | stop MSSQLFDLauncher$TPSAMA /y |
stop SQLTELEMETRY /y |
stop ReportServer$TPSAMA /y | stop MBAMService /y |
stop TrueKeyServiceHelper /y |
stop MSOLAP$TPS /y | stop VeeamDeploySvc /y |
stop SQLTELEMETRY$ECWDB2 /y |
stop msexchangeadtopology /y | stop MSSQLSERVER /y | stop WRSVC /y |
stop AcrSch2Svc /y | stop MBEndpointAgent /y |
stop mssql$vim_sqlexp /y |
stop MSOLAP$TPSAMA /y | stop VeeamEnterpriseManagerSvc /y | stop vapiendpoint /y |
Another technique used by most variants of Thanos based ransomware is to evade detection by finding and terminating processes for analysis tools by searching the list of keywords shown below:
http analyzer stand-alone | NetworkTrafficView | CFF Explorer |
fiddler | HTTPNetworkSniffer | protection_id |
effetech http sniffer | tcpdump | pe-sieve |
firesheep | intercepter | MegaDumper |
IEWatch Professional | Intercepter-NG | UnConfuserEx |
dumpcap | ollydbg | Universal_Fixer |
wireshark | dnspy-x86 | NoFuserEx |
wireshark portable | dotpeek | cheatengine |
sysinternals tcpview | dotpeek64 | |
NetworkMiner | RDG Packer Detector |
Further, it changes the configuration of specific services as shown below.
Figure 8: Screenshot of service configuration changes.
It deletes shadow copy using powershell command so the system is unable to recover data.
Command : "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
File Encryption
Midas ransomware searches through each drive and directory and encrypts the files. It creates a random key and encrypts a file using Salsa20 algorithm. Then the Salsa20 key is encrypted by the RSA public key as shown in the screenshot below. The encryption key is encoded in base64 and appended to each impacted file. It also added FileMarker “GotAllDone” at the end of each encrypted file. The encrypted key is also saved in the Registry under “HKEY_CURRENT_USER\SOFTWARE\KEYID\myKeyID”. After encryption, it drops the “reload1.lnk” file to open a ransom note at every restart.
Path: "C:\\Users\\{Username}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\reload1.lnk".
Figure 9: Screenshot of encrypting Salsa20 key with RSA public key.
It encrypts the file contained below extensions:
After encryption it appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt” ransom note. Below is the screenshot of the ransom note. RESTORE_FILES_INFO.hta doesn’t contain Key ID but RESTORE_FILES_INFO.txt contains key ID.
Figure 10: Ransom note of Midas
Cloud Sandbox Detection
Figure 11: Zscaler Cloud Sandbox detection of Midas ransomware
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.
Win32.Ransom.Thanos
https://threatlibrary.zscaler.com/?threatname=win32.ransom.thanos
Win32.Ransom.Prometheus
https://threatlibrary.zscaler.com/?threatname=win32.ransom.prometheus
Win32.Ransom.Spook
https://threatlibrary.zscaler.com/?threatname=win32.ransom.spook
Win32.Ransom.Haron
https://threatlibrary.zscaler.com/?threatname=win32.ransom.haron
Win32.Ransom.Midas
https://threatlibrary.zscaler.com/?threatname=win32.ransom.midas
MITRE ATT&CK Technique
ID |
Technique |
T1059 |
Command and Scripting Interpreter |
T1569.002 |
Service Execution |
T1112 |
Modify Registry |
T1562.001 |
Disable or Modify Tools |
T1010 |
Application Window Discovery |
T1057 |
Process Discovery |
T1518.001 |
Security Software Discovery |
T1083 |
File and Directory Discovery |
T1490 |
Inhibit System Recovery |
T1489 |
Service Stop |
T1486 |
Data Encrypted for Impact |
IOC
MD5:3767a7d073f5d2729158578a7006e4c4
About ThreatLabz
ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.
Further Reading: Zscaler Ransomware Protection