ThreatLabz analyzes Thanos-based ransomware variants (Prometheus, Haron, Spook, and Midas) to show how operators shifted tactics in 2021, using RaaS builders, double extortion, and variant revamps to extend campaigns. The Midas variant encrypts files with Salsa20 and RSA, drops RESTORE_FILES_INFO ransom notes, and maintains its own data leak site, suggesting links to Haron.
Keypoints
- Thanos-based variants (Prometheus, Haron, Spook, Midas) emerged in 2021 with RaaS builders to reduce development time.
- Double extortion is used via each variant’s own data leak site to pressure victims to pay.
- Variants share signatures, such as the ransom note markers and a common file marker “GotAllDone.”
- Midas extends the threat by encrypting files with Salsa20 and RSA, appending extensions like “.{Targeted Company name}” and dropping RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt notes.
- Technical operations include terminating security processes, disabling tools, stopping services, and deleting shadow copies to hinder recovery.
- Midas maintains a data leak site with data from numerous victims and shows potential links to Haron; threat actors reused payloads and rebranded variants.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The attacker was observed using different powershell scripts, remote access tools and an open source windows utility. “attacker was observed using different powershell scripts, remote access tools and an open source windows utility.”
- [T1569.002] Service Execution – The Midas variant is designed to stop service related to security products, database software, backups and email exchanges. “The Midas variant is designed to stop service related to security products, database software, backups and email exchanges.”
- [T1112] Modify Registry – The encrypted key is saved in the Registry under “HKEY_CURRENT_USERSOFTWAREKEYIDmyKeyID”. “The encrypted key is saved in the Registry under HKEY_CURRENT_USERSOFTWAREKEYIDmyKeyID.”
- [T1562.001] Disable or Modify Tools – Evades detection by finding and terminating processes for analysis tools by searching the list of keywords shown below. “evades detection by finding and terminating processes for analysis tools by searching the list of keywords shown below.”
- [T1010] Application Window Discovery – The MITRE mapping appears in the article’s technique list as “Application Window Discovery.”
- [T1083] File and Directory Discovery – The article lists “File and Directory Discovery” as a technique used to locate files for encryption.
- [T1490] Inhibit System Recovery – It deletes shadow copy using powershell command so the system is unable to recover data. “powershell.exe Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }”
- [T1489] Service Stop – The document notes widespread stopping of services (e.g., “stop avpsus /y” and other service stop commands) to disrupt defenses.
- [T1486] Data Encrypted for Impact – Midas encrypts files (Salsa20 with RSA-encrypted key) and appends encoded keys and file markers. “encrypts the files” and “Data Encrypted for Impact”
- [T1057] Process Discovery – The campaigns terminate numerous processes and enumerate potential targets to enable encryption. “Most commonly terminated processes” (list of names)
- [T1010] Application Window Discovery – See above for MITRE mapping to Application Window Discovery.
- [T1010] File and Directory Discovery – The campaigns identify files and directories for encryption as part of the payload delivery.
Indicators of Compromise
- [Hash] MD5 – 3767a7d073f5d2729158578a7006e4c4
- [File name] RESTORE_FILES_INFO.txt, RESTORE_FILES_INFO.hta
- [Startup/File path] C:Users{Username}AppDataRoamingMicrosoftWindowsStartMenuProgramsStartupreload1.lnk
- [File extension] .{ID}, .{Targeted Company name}
- [FileMarker] GotAllDone – appended marker after encrypted files
- [Registry] HKEY_CURRENT_USERSSOFTWAREKEYIDmyKeyID – RSA/Salsa key metadata stored in registry
- [Process] RaccineSettings.exe, mspub.exe (examples of terminated processes related to security tools)
- [Command] powershell.exe Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); } – used to delete shadow copies