A new Thanos ransomware campaign was observed targeting mid-level employees of multiple organizations from Austria, Switzerland, and Germany. The attack starts with a phishing email, using a free email provider called "GMX," that contains lures related to billing and tax repayment. The emails contain a malicious Excel file attachment, titled "379710.xlsm." Once the Excel file is opened, the victim is prompted to enable Macros on their computer. When the victim agrees to enable their Macro, malicious macros found within the file will be executed and install Guloader malware dropper, which then downloads the Thanos ransomware onto the system. Once on the system, the ransomware will proceed to encrypt files, such as .docx, .pdf, .xlsx and .csv, and lock the system using AES-256 encryption. After encryption, the ransomware will display a ransom screen and a note with instructions on how to pay the ransom demand of about $280 to be paid in Bitcoin.
Some Thanos ransomware samples have been tagged as the ransomware strain dubbed “Hakbit” due to different encryption extensions used by affiliates. Additionally, based on code similarity, string reuse, and core functionality, research shows with high confidence that Hakbit ransomware samples are built using Thanos ransomware builder, developed by a threat actor who goes by the moniker “Nosophoros.”
The largest volume of messages observed were sent to organizations operating in multiple industries, such as information technology, manufacturing, insurance, and technology. Researchers also observed that the majority of roles that were targeted were customer-facing positions that had public business contact information. These roles include attorneys, client advisors, directors, insurance advisors, managing directors, and project managers.
Nuspire recommends organizations use the following mitigation against phishing and ransomware attacks:
- Maintain up-to-date antivirus signatures and engines
- Keep operating system patches up-to-date
- Restrict users' permissions to install and run unwanted software applications
- Provide phishing and social engineering training to the employees
- Disable unnecessary services on agency workstations and servers
- Use a dedicated email service with strong malware filtering
- Use strong passwords and enforce multi-factor authentication where possible
- Use reputable antivirus solutions like next-gen Endpoint Protection