On July 6 and July 9, 2020, the Unit 42 team at Palo Alto Networks observed files associated with an attack on two state-run organisations in the Middle East and North Africa that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim transfer “20,000$” into a specified Bitcoin wallet to restore the files on the system. Unit 42 does not have visibility into the overall impacts of these attacks or whether or not the threat actors were successful in receiving a payment from the victims.
The ransomware was also configured to overwrite the master boot record, which is an important component loaded on a system’s hard drive that is required for the computer to locate and load the operating system. The ransomware overwrites the MBR to display the same ransom message as the previously mentioned text file, which is a technique Unit 42 does not see often. Overwriting the MBR is a more destructive approach to ransomware than usual.
Victims would have to expend more effort to recover their files, even if they paid the ransom. Fortunately, in this case, the code responsible for overwriting the MBR caused an exception because the ransom message contained invalid characters, which left the MBR intact and allowed the system to boot correctly. This means that even though the ransomware was configured to overwrite the MBR, the threat actors were unsuccessful in causing the computers they infected with the Thanos ransomware not to boot.
The Thanos ransomware has a builder that allows actors to customise the sample with a variety of available settings. The fact Thanos is for sale suggests the likelihood of multiple threat actors using this ransomware. However, Unit 42 believes with high confidence that the same actor used a Thanos variant in attacks on two state-run organisations in the Middle East and North Africa.
Based on our telemetry, Unit 42 first observed Thanos on January 13, 2020, and has seen over 130 unique samples since. Unit 42 believes the threat actors had prior access to these organisations’ networks, as the samples contained credentials that Unit 42 believes the actors had stolen from systems on these organisations’ networks prior to the delivery of the ransomware.
This particular attack involved multiple layers of PowerShell scripts, inline C# code and shellcode in order to load Thanos into memory and to run it on the local system. These layers were largely based on code freely available in open source frameworks, such as Sharp-Suite and Donut. One of the layers involved a custom PowerShell that was responsible for spreading Thanos to other systems on the local network using previously mentioned stolen credentials.
Unit 42 analysed this specific Thanos sample that the actors built for the Middle Eastern and Northern African state-run organisations. Unit 42 determined that the ransomware was loaded into and run from within memory at these organisations. Unit 42 found the Thanos variant is functionally very similar to the variant discussed by Fortinet in July 2020. The sample analysed by Fortinet also contained network-spreading functionality enabled, which included network credentials from another state-run organisation in the same municipality as the Middle Eastern state-run organisation Unit 42 observed. The sample analysed by Fortinet included the same Bitcoin wallet and contact email that Unit 42 observed. When combined with the targeting of an organisation in the same municipality in a similar time frame, this suggests a common actor behind these attacks.